Loading
Magazine | Machine Safety

Prepare for the New Machinery Safety & Security Standards

Addressing machinery security-related safety risks won’t just be a good practice, it will be required under law if you produce or sell machines in the E.U.
Factory worker or engineer working on a machine.

By Jonathan Johnson, Senior Technical Consultant and David Main-Reade, Manager, Global Products, Standards and Regulations, Rockwell Automation

Cyberattacks can do more than disrupt operations and compromise sensitive data — they can put lives at risk. And now, legislation is emerging to address machinery safety risks that originate from security vulnerabilities.

In Europe, the New Machinery Regulation, expected to go into effect in 2023, will be the first major legislation worldwide requiring companies to address security-based safety risks in machinery. Global industrial standards are also evolving to address safety in the context of security.

Addressing safety and security together already was a good practice. Soon, it will be required by law. Being proactive and educating yourself on what’s required can help you be prepared — and compliant — when the law goes into effect.

What’s in the Law

The New Machinery Regulation will repeal the existing Machinery Directive (2006/42/EC) and will be a mandatory requirement for any machine builder that produces or sells machines in the European Union (E.U.).

Among the changes in the new regulation are requirements that machines must protect against corruption. These requirements include:

  • Machines must be designed and built so connections to other devices do not lead to hazardous situations.
  • Connected hardware components, software and data critical to EHS compliance must be protected against accidental or intentional corruption.
  • Machines must identify software necessary for safe operation of equipment.

The proposed law will also require that control systems be designed and built to withstand intended and unintended external influences, including malicious third-party attempts to create hazardous situations. It also will require mitigation from potentially dangerous consequences of physical and digital cyberattacks.

Several incidents have already shown a glimpse of what such attacks can do. In one incident, a cyberattack on a German steel mill caused extensive physical damage. Attacks on water treatment plants have also threatened to contaminate drinking water supplies, while attacks on oil and gas operations and food processing plants have threatened to disrupt key supplies that populations depend on.

Standards Changing

Standards bodies also are updating standards in parallel to the New Machinery Regulation to help the industry address safety and security risks together.

One example is the IEC Technical Report (TR) 63074 entitled “Safety of Machinery – Security aspects relate to functional safety of safety-related control systems.” It provides guidance for using the IEC 62443 series of IACS security standards to address security threats and vulnerabilities that can influence functional safety and impact a safety control system’s ability to maintain safe machine operation.

IEC TR 63074 recently launched a Technical Specification (TS) this year. It could become a normative standard — one that could help you meet the requirements of the New Machinery Regulation.

The IEC 61508 safety standard also is evolving to address the interrelated nature of safety and security. The standard already states that a security threat analysis should be conducted if a hazard analysis identifies a reasonably foreseeable malevolent or unauthorized action that constitutes a security threat. An updated version of the standard will be published this year and provide further guidance for addressing cybersecurity risks as part of a functional safety approach.

Published in 2018, another development to follow is the continued evolution of ISO TR 22100-4 entitled “Safety of Machinery – Relationship with ISO 12100 Part 4: Guidance to machinery manufacturers for consideration of related IT-security (cyber security) aspects” into a formative standard.

This standard provides the machine-builder community with an organized and structured approach for addressing IT security risks in relation to the overall safety risk assessment for a machine. It includes the essential steps to identify and assess IT security threats and provides guidance for applying appropriate IT risk mitigation measures.

Where Can You Start?

These new regulations and standards may be more than you feel you can deal with today.

You’re likely already being asked by customers to deliver high-performing machines that are smart, productive and safe. Now, on top of that, you also need to make sure your machines have the right level of cybersecurity to help protect your customer’s data, products, operations and people.

Packages in cardboard boxes being transported on a conveyor belt in a warehouse.
Podcast
4 Common Questions About Zero Energy State & LOTO

In this episode of the award-winning “Automation Chat” podcast, Theresa Houck, Executive Editor of The Journal From Rockwell Automation and Our PartnerNetwork magazine, presents the first in the new series, “In Case You Missed It.” She reads a great article from The Journal that you might not have seen.

In this episode, Theresa reads the article, “4 Common Questions About Zero Energy State & LOTO.” For electrical safety, it’s important to understand Zero Energy State, identify all energy going into and out of equipment, neutralize it using lockout/tagout, and make it safe to service.

And of course, get your family-friendly, silly Joke of the Day.

Listen on your favorite podcast app or on the web.

Listen Now

Fortunately, safety and security have some commonality in how you analyze and mitigate risks. In particular, both safety and security require you to perform a risk assessment, making that activity a good starting point to address safety and security together as part of a larger risk management strategy.

Of course, you can only address safety and security risks together if the OT and IT teams responsible for them are talking to each other and working together toward the same goal. This can be a significant hurdle to overcome.

Historically, OT and IT teams have taken their own separate paths for managing safety and security risks. Additionally, because IT protocols are sometimes seen as an obstacle for OT teams, the two sides may not have the best relationship. But it’s important that both groups put aside past differences and cooperate on what matters most to both — risk management.

When OT and IT teams join forces to address safety and security together for the first time, outside support can help the teams coalesce and get off to a smooth start. For example, a service provider with both safety and security knowledge can help you achieve consistency and alignment between your safety and security risk assessments.

Change is Coming

New laws and standards regarding cybersecurity generally are in development and are now set to include their impact on functional safety. They will affect you either directly or indirectly through your customers. By taking a proactive approach, you can prepare your business for these new requirements now and avoid playing catch-up later — and help your customers do the same.

Learn more about industrial cybersecurity and industrial safety solutions from Rockwell Automation.

Like this article? Sign up for the digital magazine from The Journal From Rockwell Automation and Our PartnerNetwork and get articles like this delivered right to your inbox.

 

 

 

The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Endeavor Business Media.

Recommended for You
Loading