NIS2

The NIS2 directive stipulates that organizations must be cyber resilient in order to prevent disruption of critical processes. You can find out whether your organization falls under NIS2 on the government website. For this TechTalk, we will not be considering NIS2, as the focus is on machines and systems, and NIS2 is more focused on organizational cyber resilience.

CRA

The Cyber Resilience Act (CRA) focuses specifically on products with digital elements: hardware, software, IoT devices, and anything with a network connection. Key points of the CRA:

• Security by design and secure by default
  Products must be safe from the design stage and delivered with security features as standard.
• Updates and vulnerabilities throughout the lifecycle
  Suppliers are responsible for managing vulnerabilities and providing updates throughout the product's lifetime.
• Transparent security information
  Users must be clearly informed about potential risks and security measures.

The CRA entered into force on December 10, 2024, and will be fully applicable from December 11, 2027.
Although that seems a few years away, there is already a lot of work to be done to ensure timely compliance.

Machinery Regulation

The new European Machinery Regulation (EU 2023/1230) will replace the old Machinery Directive (2006/42/EC) as of January 20, 2027. For the first time, it contains mandatory cybersecurity requirements for machines. Machines must not only be physically safe, but also resistant to cyberattacks. Without a CE marking proving that these requirements have been met, a machine may not be sold or delivered. The most important thing is that the machine is protected against "unwanted access" that could affect safety. This is explained in more detail in Annex III of the regulation:

Protection against corruption (1.1.9)

Machines must:

• Be protected against corruption of software, data, or communications.
• Resistant to intentional or unintentional changes that affect safe operation.

This is about:

• Attacks on PLCs, controllers, sensors, and actuators
• Manipulation of parameters
• Unauthorized access to operating systems

Safety and reliability of operating systems (1.2.1)

Operating systems must:

• Continue to operate safely, even in the event of cyber-related disruptions;
• Be resilient against digital attacks that could cause physical insecurity;
• Designed in such a way that fault detection, emergency stop, and secure modes cannot be disabled by cyberattacks .

In other words: machines must remain fail-safe, even when someone attempts to circumvent safety measures via software.

In addition to the Machinery Directive, the R155 and R156 regulations, which concern cybersecurity and software updates for vehicles respectively, sometimes also apply to the control systems we design at RIWO. These regulations can have a significant impact: we are currently working on a complete software migration for a series machine because the existing controllers do not meet the new requirements.

Handles

The IEC 62443 Industrial Cybersecurity Standard provides practical guidance on how to comply with the Machinery Directive in an OT environment. There are a number of essential differences between IT and OT landscapes, even though they are becoming increasingly similar these days.

The standard describes cybersecurity for the entire life cycle of a machine: from component manufacturers, machine builders, and integrators to end users. Although cybersecurity will always be a race against hackers, the standard provides clear guidelines for complying with different security levels.

Practical

In practice, we see that although machine safety is well established, cybersecurity still raises many questions, not only among integrators, but also among OEMs and machine manufacturers, for example:

• What specific steps do you need to take to be compliant?
• What obligations apply?
• Are there any standard checklists or tools available?

At RIWO, we have taken the first steps:

• Knowledge of standards and CRA has been acquired, and more colleagues are undergoing training.
• The first cyber risk analyses are being carried out.
• Cyber awareness is trained organization-wide
• The first SBOMs have been drawn up, and tooling for automated evaluation is under development.
• Safety software is integrated into the technical construction file.

It's not January 2027 yet, but we have drawn up a roadmap to support our customers and take care of their cybersecurity needs.

Are your machines already cyber secure? Are you looking for more information or advice? Contact us for a no-obligation consultation!