Current status: The system has a CE marking. The safety components installed in it meet the requirements of the determined Performance Level (PLr) according to EN ISO 13849 or the Safety Integrated Level (SIL) according to EN IEC 62061. The system is considered functionally safe. However, the good feeling that comes with this is beginning to falter, as machines are being equipped with more and more digital elements that place new demands on safety: Could someone from outside harm the software? Could someone who is not authorized gain access to the machine and make changes to the programming? Could production failures and machine downtime occur?

The ISO and IEC standards organizations have reacted and want to dispel these and similar concerns: they are upgrading and are currently defining new requirements for products, machines and systems with updated standards that focus on industrial security. The new Machinery Directive, which replaces the previous Machinery Directive, also follows on from this. And that's not all: with the first draft of the 'Cyber Resilience Act', an EU regulation is in preparation that sets specific cybersecurity requirements for all component and machine manufacturers and operators of machines and systems.

EN IEC 62061 - Security as a safety aspect

Alongside EN ISO 13849, EN IEC 62061 is probably the most important functional safety standard. The standard defines the requirements and contains recommendations for the design, integration and validation of safety-related control systems for machines. Published in an updated form in 2022, it also defines security as a safety aspect: The standard specifies that "intentional attacks on the hardware, application programs and associated software as well as unintentional events due to human error" must be taken into account in the safety life cycle and throughout the entire life cycle of the machine or system. These must not adversely affect the integrity of safety. Safety functions must therefore be reassessed.

EN ISO 13849-1 - Safety-related software

Standards set the tone: Security (blue) moves into focus alongside safety (yellow) with the current changes in the standards landscape.

© Mushroom

The revised version of ISO 13849-1 was published in April 2023. An important aspect concerns the requirements relating to software and functional safety management - i.e. how data is protected within the software of machines. Various types of software are covered, for example safety-related embedded software (SRESW), safety-related application software (SRASW) or software for parameterization. The standard provides suggestions for improvement on how these can be linked to the requirements for programming languages with limited variability language (LVL) or full variability language (FVL).

The new Machinery Ordinance

In the context of the functional safety of machinery, the Machinery Directive (Directive 2006/42/EC) has been of particular importance to date. This is because it previously regulated the standardization of basic and mandatory European safety requirements for machinery. Now the Machinery Regulation replaces the Machinery Directive. Like every EU regulation, the Machinery Regulation comes into force 20 days after publication in the Official Journal and without being transposed into national law. Machine manufacturers and operators then have 42 months to comply with the new requirements for machines and systems - until the beginning of 2027 (deadline regulation), which means that the new regulation must be applied on a daily basis after this time.

Compared to the Machinery Directive, the scope of application has not changed significantly: The new regulation covers machinery and "related products", clarifies how partly completed machinery that must be placed on the market with a declaration of incorporation is defined, but expands the category of safety components to include software. Within the essential health and safety requirements in Annex III, the Machinery Ordinance now sets out requirements for cybersecurity under 1.1.9 "Protection against corruption". This states that cybersecurity threats must not impair the safety functions of the machine. This means that industrial security is now mandatory for the safety of machinery and is no longer just a matter of interpretation by the person placing the machinery on the market. In concrete terms, this means that in future, manufacturers will have to name conformity-relevant parts of their software and protect them against both accidental and intentional changes. Furthermore, in future, every machine will have to document evidence of lawful or unlawful intervention in the software. Manufacturers will have to revise their existing safety and security concepts with this in mind.

Cyber Resilience Act - a separate EU regulation

Participants of the two-day course "CESA - Certified Expert for Security in Automation" from Pilz acquire the normative expertise to implement technical and organizational security measures in the industrial environment.

© PeopleImages/E+/Getty Images, Pilz

In September 2022, the European Commission presented a draft regulation aimed at increasing the cyber security of products. The first draft of the Cyber Resilience Act is aimed at manufacturers of products and machines with digital elements - whether software or hardware - as well as operators. Software also includes firmware, for example. The regulation relates to both consumer products and products for industrial applications, such as machine control systems. According to the Cyber Resilience Act, only products that guarantee an appropriate level of cyber security, which must be verified on the basis of a risk assessment, may be placed on the market. Furthermore, manufacturers are obliged to inform customers about security vulnerabilities as quickly as possible and to close them. The regulation therefore affects the entire life cycle of a product. This means that manufacturers must now also offer software updates beyond the usual warranty period in order to ward off future threats. The EU regulation is expected to be published in two to three years.

What is NIS 2?

The author: Klaus Dürr is Vice President Standards Group at Pilz in Ostfildern.

© Mushroom

NIS (Network and Information Security) is a European Union directive aimed at strengthening cyber security. This directive has been in place since 2016; it previously applied to providers in the critical infrastructure sector, including energy, transport, banking and finance, healthcare, drinking water supply and distribution and digital infrastructure. Providers in these sectors had to take "appropriate security precautions" and report serious cybersecurity incidents.
Its successor is the NIS 2 Directive, which came into force at the beginning of 2023 and must be transposed into national law by the EU member states by fall 2024. The directive now also applies within the mechanical engineering and automotive sectors, among others, and here for companies with more than 50 employees or an annual turnover of more than 10 million euros. According to the VDMA, this affects around 9,000 companies across Europe. In future, these companies will have to prove that they have taken technical, operational and organizational measures to protect themselves against security incidents. This initially includes the risk analysis of existing systems, including in production environments, i.e. OT (Operational Technology). This is followed by the development and implementation of specific processes and measures such as password protection or encryption, as well as further education and training for employees. Cyber security incidents must be reported to the relevant authorities within 24 hours. The explicit inclusion of supply chains is also new. In summary, NIS 2 now affects more companies, extends the obligations and provides for stricter sanctions. Companies that fail to take action face severe penalties.

The big question: "How?"

In summary, it can be said that whether and to what depth a company wants to deal with security is no longer a matter of discretion for the company, but a legal requirement. The question remains as to how all these upcoming normative security requirements can be implemented well and efficiently by international industry. After all, the challenges of taking the new requirements into account in existing and new development and manufacturing processes are huge. Companies would do well to deal with NIS 2 as soon as possible and carry out a holistic security assessment for the company. This includes, for example, setting up an information security management system (ISMS) with certification in accordance with the ISO 27001 information security standard.

In mechanical engineering, security in the form of industrial security is not the sole responsibility of IT, but an integral part of the design and construction process. Implementing security retrospectively is time-consuming and usually means a loss of user-friendliness, functionality and productivity. Security is now added to safety in the risk assessment. No CE marking without security! The IEC 62443 series of standards provides good guidance for manufacturers of products with digital elements. The subordinate standard IEC 62443-4-1, for example, describes requirements for a so-called "Security Development Lifecycle Process".

The EU has taken the lead in security legislation and Europe will have the strictest requirements in the world. However, coordination is already underway with other countries, and similar laws can be expected there too. Australia, for example, is currently in discussions with the EU and is likely to follow the European standards. Global harmonization of industrial security is therefore to be expected.

Mushroom advertising in transition