Increased cyber attacks, security requirements in the new Machinery Regulation and manipulation protection – pressure is growing on industry to deal with Industrial Security. But where to start? And how to implement it? In Germany, Pilz is launching the Industrial Security Consulting Service.
With digitisation and networking, the risk of machinery being affected by security incidents increases. They are not always targeted attacks from outside; internal manipulation can also damage machinery. Legislators have recognised the importance of security. This is reflected in the new Machinery Regulation, for example: In order to import machinery into Europe, machine builders have always had to undergo the conformity assessment procedure, ending with the CE mark. In accordance with the new regulation, machine builders must prove that their machines are not only functionally safe, but are also protected against manipulation. This means: security is a legal requirement in future!
New legal requirements for security
The standards and laws for machinery safety in an industrial environment are currently facing upheaval. This is being driven by the issues of Security and Artificial Intelligence (AI). For industry in general and mechanical engineering in particular, there are three new or upcoming legal requirements for security that are relevant: the EU Directive NIS 2, the new Machinery Regulation and the Cyber Resilience Act.
EU-Derictive NIS 2
In comparison with the previous directive, NIS 2 affects more companies, extends the obligations and provides for stricter sanctions. Companies that fail to take measures are threatened with severe penalties.
Cyber Resilience Act
The Cyber Resilience Act is directed toward manufacturers of products with digital elements. They should only be allowed to place products on the market that guarantee an appropriate level of cybersecurity. The regulation is due to be adopted at the end of 2024.
EU Machinery Regulation
From January 2027, the Machinery Regulation will replace the existing Machinery Directive and, in contrast to its predecessor, makes cybersecurity mandatory. The security protection goal has been included in the regulation, in the “Essential health and safety requirements EHSR”, under “Protection against corruption”.
On the other hand, security is uncharted territory for many companies: there is a knowledge gap, so there are no strategies; responsibilities are often not defined. So what to do?
“The new Machinery Regulation is a good opportunity for machine builders and operators to deal with Industrial Security”, explains Bernd Eisenhuth, Senior Consultant Business Areas at Pilz. For this is the first time a specific requirement will be set, and a framework specified.
Because machinery in future no longer needs to be just Safe, but also Secure, Eisenhuth and his team will offer a service to advise and support companies on Industrial Security. This will be available initially in Germany, but will be offered worldwide from next year.
Proven methodology from machinery safety
Pilz has developed the Industrial Security Consulting Service, building on the proven methodology for machinery safety services and based on the security standard series IEC 62443. Once companies have used this service, they will be well equipped in terms of Industrial Security, and will meet the current legal requirements.
Modular service for the protection of human and machine
Initially, the service package will consist of the following modules: Protection Requirements Analysis, Industrial Security Risk Assessment, Industrial Security Concept and Industrial Security System Verification.
The Protection Requirements Analysis is the first step towards Industrial Security. It is used to identify the applicable standards and regulations, define the scope of the plant or machine to be protected and determine the system’s protection goals. Bernd Eisenhuth explains what customer can expect in this first step:
As with machinery safety, this is followed by a Risk Assessment. Here it is a case of identifying all the risks for each subsection over the system’s complete lifecycle. Vulnerabilities and potential hazards are documented. Pilz experts discuss the result and potential solutions with the customer:
In step 3, experts from Pilz create an Industrial Security Concept. This describes potential strategies for repelling or mitigating hazards. Specifically, workflows for countermeasures are developed, and a check looks at which individual measures make sense – from user authentication and physical protective measures to backing up and restoring data. In addition, policies, rules and guidelines are created for the continued “safe” operation of the system over the whole lifecycle:
The fourth and final step is the Industrial Security System Verification. This checks the effectiveness of the implemented countermeasures. The results, including any potential discrepancies, are recorded in a test report. The customer can rest assured that the concepts and measures also work in practice.
The Industrial Security Consulting Service from Pilz expands the previous safety-related inspection of machines that focused on functional safety, to create a holistic approach to Safety and Security. Machine builders and users receive a service package from Pilz, which takes into account all aspects for the protection of human and machine.
Industrial Security Consulting Service
Pilz is expanding its service portfolio in the Industrial Security sector and thereby supplementing the training courses offered in this field. The “Industrial Security Consulting Service” will start in the autumn, initially in Germany. If you are interested, further information is available at firstname.lastname@example.org.
Specifically, users ensure the availability and integrity of their machinery and system, so that the integrity of the machine, processes, and ultimately the end product, is guaranteed.
However, Bernd Eisenhuth has another, quite personal, motivation: “Our greatest incentive is always the protection of humans, because without Industrial Security, functional safety measures can be defeated. Nobody should be injured by automation.”