Cyber attacks have shown in recent years that they can do more than disrupt operations and compromise sensitive data—they can put lives at risk. And now, legislation is emerging to address safety risks that originate from security vulnerabilities.
In Europe, the New Machinery Regulation that is expected to go into effect in 2022 or 2023 will be the first major legislation worldwide requiring companies to address security-based safety risks in machinery. Global industrial standards are also evolving to address safety in the context of security.
Addressing safety and security together was already a good practice. Soon, it will be required by law. Being proactive and educating yourself on what’s required can help you be prepared—and compliant—when the law goes into effect.
What’s in the law
The New Machinery Regulation will repeal the existing Machinery Directive (2006/42/EC) and will be a mandatory requirement for any machine builder that produces or sells machines in the E.U.
Among the changes in the new regulation are requirements that machines protect against corruption. These requirements include:
- Machines must be designed and built so connections to other devices do not lead to hazardous situations.
- Connected hardware components, software, and data that are critical to EHS compliance must be protected against accidental or intentional corruption.
- Machines must identify software that is necessary for its safe operation.
The proposed law will also require that control systems be designed and built to withstand intended and unintended external influences, including malicious third-party attempts to create hazardous situations.
The proposed legislation will require mitigation from potentially dangerous consequences of physical and digital cyber attacks. Several incidents have already shown a glimpse of what such attacks can do. In one incident, a cyber-attack on a German steel mill caused extensive physical damage. Attacks on water treatment plants have also threatened to contaminate drinking water supplies, while attacks on oil and gas operations and food processing plants have threatened to disrupt key supplies that populations depend on.
Standards bodies are also updating standards in parallel to the New Machinery Regulation to help the industry address safety and security risks together.
One development worth keeping an eye on is IEC Technical Report (TR) 63074 entitled “Safety of Machinery—Security aspects relate to functional safety of safety-related control systems.” It provides guidance for using the IEC 62443 series of IACS security standards to address security threats and vulnerabilities that can influence functional safety and impact a safety control system’s ability to maintain safe machine operation.
IEC TR 63074 is scheduled to be released as a Technical Specification (TS) next year. It could then become a normative standard—one that could possibly help you meet the requirements of the New Machinery Regulation.
This article is part of our monthly Automation Zone column. Read more from our monthly Automation Zone series.
The IEC 61508 safety standard is also evolving to address the inter-related nature of safety and security. The standard already states that a security threat analysis should be conducted if a hazard analysis identifies a reasonably foreseeable malevolent or unauthorized action that constitutes a security threat. An updated version of the standard will be published this year and provide further guidance for addressing cybersecurity risks as part of a functional safety approach.
Another development to follow is the evolution of ISO TR 22100-4 entitled “Safety of Machinery—Relationship with ISO 12100 Part 4: Guidance to machinery manufacturers for consideration of related IT-security (cybersecurity) aspects” into a formative standard. It provides the machine-builder community with an organized and structured approach for addressing IT-security risks in relation to the overall safety risk assessment for a machine. It includes the essential steps to identify and assess IT-security threats and provides guidance for applying appropriate IT risk mitigation measures.
Where can you start?
These new regulations and standards may be more than you feel you can deal with today.
You’re likely already being asked to deliver high-performing machines that are smart, productive, and safe. Now, on top of that, you also need to make sure your machines have the right level of cybersecurity to help protect your customer’s data, products, operations, and people.
Fortunately, safety and security have some commonality in how you analyze and mitigate risks. In particular, both safety and security require that you perform a risk assessment, making that activity a good starting point to address safety and security together as part of a larger risk management strategy.
Of course, you can only address safety and security risks together if the OT and IT teams responsible for them are talking to each other and working together toward the same goal. This can be a significant hurdle to overcome.
Historically, OT and IT teams have taken their own separate paths for managing safety and security risks. Additionally, because IT protocols are sometimes seen as an obstacle for OT teams, the two sides may not have the best relationship. But it’s important that both groups put aside past differences and cooperate on what matters most to both of them—risk management.
When OT and IT teams join forces to address safety and security together for the first time, outside support can help the teams coalesce and get off to a smooth start. For example, a service provider with both safety and security expertise can help you achieve consistency and alignment between your safety and security risk assessments.
A service provider experienced in risk management strategies can also help you address the complex interplay between safety and security. Security patches, for instance, can impact the response time of safety devices, potentially rendering them redundant and creating unsafe operations. OT and IT teams must be able to understand each other’s perspectives and seek to achieve shared goals.
Change is coming
New laws and standards regarding cybersecurity generally are in development and are now set to include their impact on functional safety. They will impact you either directly or indirectly through your customers. By taking a proactive approach, you can prepare your business for these new requirements now and avoid playing catch-up later—and help your customers do the same.
This story originally appeared in the June 2022 issue of Plant Services. Subscribe to Plant Services here.