MachineBuilding.Live

exhibition preview

The future of safe automation Pilz CEO Thomas Pilz discusses the developments and issues impacting on the machinery safety landscape, and what they mean for the future of safe automation.

T he standards and laws for safety in an industrial environment are currently facing upheaval. This is being driven by the issues of security and Artificial Intelligence (AI). For industry in general and for mechanical engineering, there are three new or upcoming legal requirements for security that are relevant: EU Directive NIS 2, the new Machinery Regulation and the Cyber Resilience Act. NIS (Network and Information Security) is a European Union Directive aimed at strengthening cybersecurity. This directive has been in existence since 2016 and, so far, has applied to critical infrastructure providers, including energy, traffic, banks and finances, health, supply and distribution of drinking water and digital infrastructure. Providers in these sectors have had to implement “appropriate security safeguards” and report any serious cybersecurity incidents. The successor is NIS 2, which came into force at the beginning of 2023 and must be adopted into national law by EU member states by autumn 2024. Now, the directive also applies within the engineering and automotive sectors, among others, for companies with over 50 employees or an annual turnover of more than 10 million Euro. According to the German Mechanical Engineering Industry Association VDMA, this will affect around 9,000 companies across Europe. In future these companies will need to prove that they have taken technical, operational and organisational measures to protect against security incidents. Firstly this will include a risk analysis of existing systems, including in production environments, in other words OT (Operations Technology). This will be followed by the development and implementation of specific processes and measures such as password protection or encryption, as well as continuing education and training for employees. Cybersecurity incidents must be reported to the relevant authorities within 24 hours. The explicit inclusion of supply chains is also new. To

summarise, NIS 2 now affects more companies, extends the obligations and provides for stricter sanctions. Companies that fail to take measures are threatened with severe penalties. Whole product lifecycle In September 2022, the European Commission submitted a draft for a regulation intended to increase the cybersecurity of products. This Cyber Resilience Act is directed toward manufacturers of products with digital elements. The regulation refers to both consumer products as well as products for industrial applications, such as machine controllers for example. In accordance with the Cyber Resilience Act, only products that guarantee an appropriate level of cybersecurity may be placed on the market. Manufacturers are also obliged to inform customers of security vulnerabilities and close them as quickly as possible. Thus, the regulation applies to the whole of a product’s lifecycle. This means that manufacturers must now offer software updates beyond the usual warranty period, so that future threats are also repelled. We assume that the regulation will be adopted at the end of 2024. Mandatory cybersecurity The third new statutory security requirement is the EU Machinery Regulation. Its publication is imminent. As it is a regulation, it does not have to be converted into national law first. Machine manufacturers have 42 months in which to meet the new requirements. The Machinery Regulation replaces the existing Machinery Directive and, in contrast to its predecessor, makes cybersecurity mandatory. If the Machinery Directive purely examined safety, the Regulation includes the security protection goal in the “Essential health and safety requirements EHSR”, under “Protection against corruption”: The machine’s safety functions must not be compromised by corruption, whether intentional or unintentional. So far it is known that meeting the

requirements of the Cyber Resilience Act leads to presumption of conformity for the Machinery Regulation. In order to import machinery into Europe, machine builders have always had to undergo the conformity assessment procedure, ending with the CE mark. Now, with the new Machinery Regulation, machine builders must prove that their machines are also protected against manipulation. And finally, electrical component manufacturers are subject to the future requirements of the planned Cyber Resilience Act. It is no longer at the company’s discretion whether, and to what extent, it wishes to grapple with security; it is a legal requirement. Companies would be wise to deal with NIS 2 as soon as possible and carry out a holistic security assessment for the company. For example, this includes the development of an Information Security Management System (ISMS), with certification in accordance with the information security standard ISO 27001. In engineering, security in the form of industrial security is not solely a task for IT, but is an integral part of the design and construction. To implement security retrospectively is always complex, and usually means reductions in user friendliness, functionality and productivity. The risk assessment now also includes security as well as safety. No security, no CE mark. And for manufacturers of products with digital elements, the IEC 62443 series of standards provides a good orientation. The subordinate standard IEC 62443-4-1, for example, describes the requirements of a “Secure development lifecycle process”. The EU has been quick off the mark with security legislation; the world’s strictest requirements will apply in Europe. But agreements are already in place with other countries, and such laws will be introduced there too. www.pilz.com

See Pilz on Stand 41

M achine B uilding .L ive 2023

12

Made with FlippingBook - Share PDF online