Cybersecurity: are we ready to protect our data?

…. Network and information systems and electronic communications networks and services play a vital role in society and have become the backbone of economic growth.

Information and communications technology (ICT) underpins the complex systems which support everyday societal activities, keep our economies running in key sectors such as health, energy, finance and transport, and, in particular, support the functioning of the internal market.

The use of network and information systems by citizens, organisations and businesses across the Union is now pervasive.

Digitisation and connectivity are becoming core features in an ever growing number of products and services and with the advent of the Internet of Things (IoT) an extremely high number of connected digital devices are expected to be deployed across the Union during the next decade.

While an increasing number of devices is connected to the internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity. (1)

Note (1)
This is an excerpt from Regulation (EU) 2019/881 on ENISA, the European Union Agency for Cybersecurity, and Cybersecurity Certification for Information and Communications Technologies.

A new EU Directive on cybersecurity of machinery and industrial processes

The advent of IoT and Industry 4.0 has significantly enhanced the level of machine connectivity to the internet. But were these machines ready to be connected? Are the existing remote assistance systems and software suitable? These questions open up new scenarios regarding the critical issue of cybersecurity.

Information security has traditionally been managed at an IT level, involving servers, firewalls, VPNs, complex passwords and two-step authentication: terminologies and procedures that have become commonplace in offices and in the worlds of infrastructure and finance.

However, machinery and industrial processes are already lagging behind. It is only now that Directive (EU) 2022/255 (NIS2), due to come into force by 17 October 2024 and aimed at increasing the level of cybersecurity within the Union, has broadened its scope to machinery manufacturers while introducing the new multi-risk requirement that extends to the service providers connected to the manufacturers’ networks.

It is therefore crucial to identify the characteristics that industrial plant and machinery must adhere to in order to ensure an adequate level of cybersecurity and ascertain the degree of mandatory compliance.

Secure authorisation management

Cybersecurity or ICT (Information and Communications Technology) security is not explicitly addressed by the Machinery Directive 2006/42/EC as it involves the issue of “security” rather than that of “safety”. Nonetheless, there is a degree of overlap, as in the standards ISO 13849-1, EN 415-10, ISO 61511 and ISO 10218-1, which essentially emphasise two key principles:

1. the remote connection must be authorised locally (using a key selector, password, code or some other identification and authorisation system);
2. it must not be possible to modify safety parameters remotely without local authorisation.

So to protect our machinery from potential external threats, we must take action regarding both safety and security.

When a machine is connected to the corporate network, it is essential to ask the following questions: Who is able to access my network? Are they authorised or not? When and how do they access my network? And what resources do they have access to?

These considerations highlight the need to control crucial services like teleassistance and remote machine connections as they can provide gateways to corporate networks.

Machines are normally connected to the corporate network via unmanaged routers or switches, without rules or filters, or via remote assistance software, which in the absence of clearly defined rules allows machine suppliers to connect whenever necessary. If access is not adequately restricted or protected, this inadvertently allows entry to even relatively inexperienced hackers, granting access to sensitive data on production lines.

The flourishing cybercrime market

Unlike traditional ransomware, corporate cybercrimes specifically involve encrypting data and then demanding a ransom. This may include theft of PLC or CNC programs, machine “recipes”, or even worse, sabotage of the production process.

According to a 2022 study by the European Union Agency for Cybersecurity (ENISA), one of the top ten threats consists of supply chain attacks targeting the relationship between companies and suppliers. Organisations are becoming more vulnerable due to the adoption of increasingly complex systems and a supply chain that is difficult to control.

So while we are clearly facing new forms of corporate cybercrime, this exponential increase in cyber-attacks must also be tackled from an industrial perspective, focusing not just on IT but also on the OT (operational technology) sector.

IT and OT operators and technicians must collaborate

Some 94% of attacks on IT systems (the office world) have also caused disruptions in OT systems (the industrial world), leading to production stoppages and consequently halting entire production lines. Unauthorised access from the OT network to which all machines are now interconnected may result in infiltration of the IT network

This issue is a subject of extensive discussion, particularly concerning the new requirements of the Machinery Regulation (EU) 2023/1230 (Directive NIS2), within the IEC 62443 family of standards.

Data protection tools

To protect their data, companies require analysis and control tools and technical solutions to regulate access and fully reap the benefits of Industry 4.0. An important guideline for machine protection is contained in the standard IEC TS 63074 Safety of machinery - Security aspects related to functional safety of safety-related control systems, which introduces the concept of Risk Security Analysis and cites the IEC 62443 family of standards, especially IEC 62443-2-1 and IEC 62443-3-2.

The regulatory framework is now ready in preparation for the Machinery Regulation (EU) 2023/1230, due to come into effect on 1 January 2027, which with the new RES 1.1.9 “Protection against corruption”, introduces the essential requirement for cybersecurity and a new principle of legitimate or illegitimate intervention on the machine.

In the United States, with the NEC 2023 for industrial machinery which came into effect last January, the requirement is already mandatory in 12 states, setting a concrete precedent. Likewise, Europe is poised to implement this requirement by way of NIS 2 in 2024 and the Machinery Regulation (EU) 2023/1230 in 2027, requiring specific cybersecurity action on machines, plants and service providers as early as the coming months.

Below is an excerpt from the NEC 2023 document, where the fundamental requirement is compliance with the ANSI/ISA 62443 family of standards.

(8) Cybersecurity for network-connected life safety equipment to address its ability to withstand unauthorized updates and malicious attacks while continuing to perform its intended safety functionality Informational Note No. 3: See the ANSI/ISA 62443 series of standards for industrial automation and control systems, the UL 2900 series of standards for software cybersecurity for network-connectable products, and UL 5500, Standard for Remote Software Updates, which are standards that provide frameworks to mitigate current and future security cybersecurity vulnerabilities and address software integrity in systems of electrical equipment.

Matteo Marconi, A.C.&E. (Verona, Italy)