DS-SEP24-PG14_Layout 1 19/09/2024 09:22 Page 1
FEATURE MACHINE BUILDING, FRAMEWORKS & SAFETY
CYBER SECURITY FOR MANUFACTURERS
C
yber security is growing in importance, leading to the Cyber Resilience Act (CRA) – where products have to meet to certain
requirements – and NIS2, where organisations has to deal with a minimum of requirements. So let’s take a look at the issues, starting with PLCs. Because PLCs are based on standard operating
systems, there are many potential vulnerabilities. PLCs are not usually directly connected to the internet, but the ever-increasing networking with the company’s IT makes it easier for attacks to spread to the OT. However, it is not only companies that have
a vested interest in avoiding cyber risks. States must also ensure that their critical infrastructures (e.g. hospitals, banks, etc.) function in the event of a cyber attack. This is one of the reasons why many countries have already developed national cyber security strategies.
EUROPEAN LEGISLATION FOR OT The legal situation in the area of cyber security is developing very dynamically. Two of the most important legal acts at European level are the NIS Directive and NIS2 Directive. The NIS Directive concerns
measures for a high common level of security for network and information systems. It obliges the member states to identify operators of so-called essential services that have branches on their territory and to review this list every two years. From October 18, 2024, the
requirements of the NIS2 Directive will apply, which also repeals the NIS Directive. As this is a directive, it must also be transposed into national law by this date. In addition to the sectors known from the NIS
The most important European legal cyber security acts and how they affect automation companies, machine builders and operators
Directive, the NIS2 Directive has been extended with the addition of further sectors including waste management; production; manufacture and trade in chemical substances; manufacturing/production of goods, etc. Of particular interest is Manufacturing/
production of goods. Put simply, every machine manufacturer that produces a machine for a specific economic sector is affected. While the NIS2 Directive only applies to companies that are considered to be at least medium-sized enterprises, there are some exceptions.
OBLIGATIONS OF ESSENTIAL/ IMPORTANT ENTITIES Entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks to the security of network and information systems and to minimise the impact of security incidents. In addition, both essential and important
DIRECTIVES Affected companies must therefore familiarise themselves with the NIS2 Directive in order to identify the scope of requirements and obligations relevant to them. The CRA applies to products with digital
elements that have a direct or indirect connection to a device or network. A product with digital elements is understood to be software or hardware with associated remote data processing. This means that the focus here is on the product, while the NIS/NIS2 focuses on the obligations of ultimately operators/companies/states. Important exceptions to the CRA are samples/prototypes and spare parts.
OBLIGATIONS OF THE MANUFACTURER The manufacturer must consider the essential requirements in the product development phases. In addition, however, they must also consider the cyber security risks in the phases of planning,
14 DESIGN SOLUTIONS SEPTEMBER 2024
entities must submit an early warning within 24 hours of becoming aware of an incident and have carried out an initial assessment after 72 hours. A final report must be submitted within one month. The point of contact is the responsible CSIRT (Computer Security Incident Response Team). There are different requirements for
essential/important entities. In simplified terms, essential entities must proactively demonstrate compliance with the measures, i.e. the member states request evidence of the implementation of risk management measures/the cyber security concept, for example, even though no incident has yet occurred. In the case of important entities, this
evidence usually only has to be provided after an incident. Further details should be taken from the NIS2 Directive.
sponsored by
In its new white paper, Lenze explains how to get to grips with the legal requirements of cyber security
delivery and maintenance phases. The integration of components from third-party
manufacturers is likely to pose a particular challenge for manufacturers, as is defining the expected product lifetime. Unless the lifetime of the product is shorter, this should be at least five years. Within this period, the manufacturer must provide security updates free of charge. Another point that should be emphasised is
the reporting obligations. If the manufacturer becomes aware of the active exploitation of a vulnerability, an early warning must be sent to ENISA within 24 hours. After 72 hours, further information and correction/prevention measures should be defined and a final report with further details should be submitted after 14 days.
PROTECTING PRODUCTS Although no final legal act has yet been passed, manufacturers should take a closer look at the CRA, as it will have a significant impact on products. It is, of course, also highly beneficial if manufacturers ensure that their products do not serve as a gateway for cyber security attacks. Cyber security requires
operators to realise that the machine no longer only needs to be maintained according to the manufacturer‘s instructions, but that cyber security considerations also play a role in the operation of the machine and that they must be taken into account over the life of the machine. A cyber security product life cycle must also be
implemented when developing components. Lenze is implementing security measures in
its processes and products as part of the further development of its product range. The requirements of 62443-3-3, 62443-4-1 and 62443- 4-2 form an essential basis for this.
Lenze
www.Lenze.com
Feature
The full whitepaper can be downloaded from the website
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64