Cybersecurity Becomes a Duty

Cybersecurity Becomes a Duty

Up to now, the topic of cybersecurity with regard to networked machines and systems has been of relatively little importance for many organizations - except for a manageable number of very specific application areas. However, this is about to change for practically all suppliers and very many operators as a result of current legislative processes.

Various EU regulations, most of which were launched in 2022 and are now gradually being transposed into national law in the member states, give cybersecurity a completely new significance for networked machines and plants as well.

These include the EU NIS-2 Directive on Network and Information Security (EU Directive 2022/2555) together with the Resilience Directive 2022/2557, the EU Machinery Regulation 2023/1230, and the drafts of the EU Cyber Resilience Act (CRA). But the EU Commission's draft for a new product liability law is also part of this (see the proposal of the Product Liability Directive from December 2022). This turns software into a product, for example.

Software Is Also a Product

This is likely to result in some serious changes for the networked controls of machines and plants. But AI implementations and 3D CAD data will also be included in product liability in the future. One could also still refer to the draft AI Liability Directive or the new Radio Equipment Directive (EU Regulation 2022/30). Finally, machines with Bluetooth, WLAN, 4G or 5G are also affected by this EU regulation with regard to cybersecurity.

Who is Affected?

How can the flood of regulations, which seems impressive at first glance, be countered? First of all, it is advisable to take a systematic approach to check the extent to which you are affected by the respective regulation and from when the regulations apply. The new Machinery Regulation, for example, formally came into force in July 2023.

However, its application is only mandatory after a three-and-a-half-year transition period.

The CRA has been drafted in September 2022 and is very far-reaching, affecting virtually all products with digital elements, including all consumer electronics. However, it has not yet been fully clarified when and how the CRA will be implemented. The situation is very similar with the Product Liability Directive. There is probably still more need for discussion here, for example about the overlaps with the EU AI Regulation, the handling of evidence, class action aspects due to the elimination of the 500-Euro deductible, and much more.

The EU-NIS-2 Directive

As of today, management should first take a closer look at the NIS-2 directive. It is aimed at the "essential" and "important" operators of networks and IT systems in certain areas. This directive will become legally binding throughout the EU in October 2024 and will apply not only to IT, but also to networked machines and systems (i.e., so-called "operation technology"). The corresponding draft bill from the german Federal Ministry of the Interior for NIS-2 implementation has already existed since July 2023.

Here, not only are the rules of some EU legislation that has existed for many years – i.e., the NIS-1 Directive 2016/1148 as well as 910/2014 and 2018/1972 – revised, but also significant penalties for violations of the law are specified – similar to the General Data Protection Regulation, but with a significant expansion of private manager liability.

At the same time, the scope of affected organizations was also significantly expanded. NIS-1 practically only covers the "sectors with high criticality", essentially the critical infrastructure.

As a result of the new NIS-2 directive, manufacturers of electrical equipment and appliances, machinery and cars, for example, are now also included above a certain company size (50+ employees and/or 10+ million euros turnover). They are referred to as "other critical sectors" in the directive.

It is estimated that, compared to NIS-1, around 29,000 additional companies in Germany alone, will fall under the new legal requirements for network and information security. The majority of those newly affected are probably not yet aware that the NIS-2 requirements apply to them.

Which Requirements Have to be Fulfilled?

The German-language translation of the NIS-2 EU Regulation consists of 46 articles and covers a total of 73 pages (from the perspective of the organizations concerned, articles 21 and 23 are of particular importance). Table 1 provides an overview of the NIS-2 minimum requirements to be met for a uniform cybersecurity level.

In this way, the EU aims to ensure that essential and important entities use technical and organizational measures to guarantee secure operation of their operationally required network and information systems.

The regulation further requires appropriate activities to minimize the impact of security incidents in affected organizations and to provide appropriate support to users of the services and products of an entity regulated by NIS-2.

Together with the registration and notification requirements of Article 23, the requirements appear at first glance to be implementable with regard to local networks and IT systems as a whole.

Risk analysis strategies Concepts related to risk analysis and security for information systems.
Handling of security incidents Management of security incidents (incident handling).
Operational continuity Business continuity, such as backup management and disaster recovery, as well as appropriate crisis management.
Supply chain security Supply chain security, including security-related aspects of the relationships between individual facilities and their direct or service providers.
General operating guidelines Security measures in the acquisition, development, and maintenance of network and information systems, including vulnerability management and disclosure.
Evaluation and measurement system Concepts and procedures for evaluating the effectiveness of cybersecurity risk management measures.
Context-related employee training Basic cyber hygiene procedures and cybersecurity training.
Cryptography guidelines Concepts and procedures for the use of cryptography and, where appropriate, encryption.
Personnel and equipment safety Personnel security, access control concepts and asset management.
Personnel and equipment safety Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communications systems within the facility, as appropriate.

Table 1: Overview of the minimum measures required in accordance with Article 21 of EU Official Journal 2022/2555 to protect the network and information systems as well as the physical environment of the systems affected from security incidents. Furthermore, the measures must be based on a cross-hazard approach.

Not only IT, but also OT!

However, the requirement of "Operational Continuity" in Table 1 makes it clear that the NIS-2 specifications not only refer to the corporate IT, but also to the networked machines and systems in production, and even to the individual control cabinet with a Profinet or TSN-based network for controlling a machine, as well as to the Modbus network for building management.

Basically, the regulation also applies to everything that is now classified in the generic term "Operation Technology" (OT).

This is where things become much more challenging, as OT technology is often operated as a "Black Box".

Application Example EMS

Figure 1 shows the rough relationships for the processes of an EMS service provider (EMS = Electronic Manufacturing Service) with company headquarter within the EU in the role of machine and system operator:
The EMS service provider's customers develop electronic assemblies using their CAD systems and upload the CAD data of an assembly (the product X) to a cloud of the EMS service provider.

This data then passes through various instances at different locations. This also triggers external partial manufacturing processes: the Gerber data of the circuit board from the CAD data of product X goes to China, for example, to have the blanks manufactured there; the firmware binaries go to a chip programming service provider who programs the firmware into flash memory chips.

At the end of the entire manufacturing process, a fully assembled and tested assembly is delivered to the customer by the EMS service provider.

From a cybersecurity perspective, one might now ask, for example:

How does the EMS provider ensure that there is no data integrity error in the final product?

Figure 1: Application example EMS

OT/IT Cybersecurity Management Process

To put NIS-2 into practice, a cybersecurity strategy encompassing both IT and OT is needed. In terms of OT/IT connections, this strategy can be thought of as a four-step action loop. The four elementary components for such a Cybersecurity Management Process would be, for example:

  • CHECK: Cyber threat analysis for the own organization or the existing IT and OT infrastructure.
  • MEASURE: Assessment of the maturity level of the existing security measures.
  • PLAN: Creation of a description or plan of what can be improved in the existing security measures.
  • DO & DOCUMENT: Implementation of the measures from the plan (Do) as well as documentation showing the current status of the cybersecurity strategy in each case (Document).

Such a "Check-Measure-Plan-Do and Document-Loop", will – similar to an ISO 9001:2015-based quality management system – be run through again and again to meet the NIS-2 obligations as well as to incrementally improve cybersecurity and cyber resilience and be able to prove it.

It is important that every single data flow between all OT and IT applications is recorded in a completely transparent manner and visualized with all interfaces in a data flow diagram to enable further analyses.

We have developed a template for such a cybersecurity strategy, which we use in our projects and which we adapt to the individual customer requirements in each case.

Figure 2: OT/IT Cybersecurity Management Process

However, it is not enough to protect an OT/IT integration point only against access-based attack types (see table 2):

DoS A Denial-Of-Service (DoS) attack aims to block a network or resource by flooding a target with artificial traffic. This restricts normal use of the attacked service or even makes it completely impossible due to overload.
DDoS Distributed Denial-of-Service (DDoS) attacks. Conducted by multiple agents simultaneously against a single victim. Essentially, all attacking agents collectively generate very large numbers of data packets towards the victim in order to overwhelm it with protocol-specific requests, thereby overloading the victim's resources.
Brute Force A brute force attack is an attempt to crack a certain password protection or username, find a hidden website, other services or a cryptographic key.
XSS Cross-site scripting (XSS) is an attack against certain web applications. XSS attacks allow attackers to inject client-side scripts into web pages, which are then accessed by other users.
SQL Injection SQL injection is an attack on SQL databases. The attacker can inject database commands, read, delete and modify data or destroy the entire database.

Table 2: Access-based attack types

In Article 21, NIS-2 also explicitly requires measures for personnel and equipment security.

This also includes physical access control systems and environmental monitoring.

Cyber-attacks are also possible by deliberately manipulating environmental conditions over a greater distance. If a system uses radio communication, for example, targeted interference with the relevant frequency bands can cause considerable damage.

OT Security Tip #1: Unidirectional OT/IT Gateway

An unidirectional gateway is a security component in computer networks that serves to enforce the flow of data in a single direction. It is therefore also referred to as a "data diode". It is used in networks where strict security zone separation (segmentation) is required.

The main function of such a data diode is to allow data to flow between two networks in one direction only. In networked automation technology, this means that, for example, data can only flow from the OT network to the IT network, but not in the opposite direction.

Figure 3: Unidirectional OT/IT Gateway

  • Physical and logical OT/IT segmentation
  • Adaptation to the application or the safety requirements
  • Unidirectional data flow from the OT network to the IT network
  • No open TCP/UDP ports from the IT network to the OT network
  • Blocking of all incoming ARP/ICMP traffic
  • Sensor option to detect intrusions from the IT direction
  • Option to detect abnormal data traffic in the OT network
  • Interfaces for external sensors, e.g., sabotage detection, control cabinet door open

Unidirectional gateways for data diode applications can have different safety features. In the simplest case, data traffic against the direction of flow is prevented by special functions. In the maximum configuration, the (PHY-RX) receive signals at the IT interface do not exist at all.

Our multifunctional OT/IT gateway IGW/936A was designed for exactly such purposes and is therefore also ideally suited for use as a data diode or unidirectional gateway.

Do You Have Questions?

We would be happy to discuss with you how you can bring your networked machines and systems into the future in a law-compliant and secure manner!


Kontakt aufnehmen!


Dünenweg 5
30419 Hannover

Phone: +49(0)511 · 40 000-0
Fax: +49(0)511 · 40 000-40

Imprint    ·    Privacy Policy    ·    Terms & Conditions

© 2024 SSV SOFTWARE SYSTEMS GmbH. All rights reserved.

ISO 9001:2015