REM615 HCMJAEADABC2BNN11E The third new statutory information security requirement is the EU Machinery Regulation. The regulation will soon be published. Since it is a statute, it is not necessary to first translate it into national law. Machine manufacturers have 42 months to comply with the new requirements. The Machinery Regulation replaces the existing Machinery Directive and, in contrast to the former, makes cybersecurity mandatory. If the Machinery Directive is purely looking at safety, the Machinery Regulation incorporates the objective of information security protection into “measures against corruption” in the Basic Health and Safety Requirement EHSR: the safety functions of the machinery must not be compromised by corruption, whether intentionally or unintentionally. By now, it is well known that meeting the requirements of the Cyber Resilience Act leads to a presumption of compliance with the Machinery Regulations.

For now: Who needs to focus on what?

What do statutory requirements mean? I want to use the power sector to illustrate the correlation:

So far, only energy suppliers have been affected by the NIS directive. With NIS 2, machine manufacturers, such as those of power generation equipment, such as wind turbines, will also have to meet these requirements in the future. In turn, wind turbine manufacturers need automation solutions, such as controllers or sensors from Pilz. At a certain scale, electrical component manufacturers also fall into the category of NIS 2. And since NIS 2 also provides for suppliers to be taken into account, companies like Pilz must also pay attention to a secure supply chain and make demands on their suppliers. Thus, NIS 2 covers the entire supply chain.

Machine manufacturers importing machines to Europe have always had to go through a conformity assessment procedure and finally obtain the CE mark.

Now, with the introduction of the new Machinery Regulations, machine manufacturers must prREM615 HCMJAEADABC2BNN11E ove that their machines also have protection against manipulation. Finally, manufacturers of electrical components must comply with the future requirements of the planned Cyber Resilience Act.

Bottom line: It’s no longer up to companies to decide whether or not they want to deal with information security, and to what extent. This will turn into a legal requirement! It is advisable to conduct a comprehensive information security assessment of the company against NIS 2 as soon as possible. This includes, for example, the development of an information security Management System (ISMS) and certification to the information security standard ISO 27001.

In engineering, security in the form of industrial information security is not just a task for IT departments, but an integral part of design and construction. Implementing security retroactively is always complex and often means reduced user friendliness, functionality, and productivity. Risk assessment now also includes information security and machinery safety. No information security, no CE mark!

For manufacturers of products with digital elements, the IEC 62443 series of standards provides a good direction. For example, the subordinate standard IEC 62443-4-1 describes the requirements for a “secure development lifecycle process.”

The EU has made rapid progress on security legislation; The world’s most stringent requirements will come into force in Europe. However, agreements have also been reached with other countries and such laws will be introduced there as well. Australia, for example, is currently negotiating with the European Union and may follow European standards. Therefore, global coordination of industrial information security can be expected.

Open communication standards as a historical mission

At Pilz, openness and user friendliness are key features of the product portfolio. We want to offer our customers products that are always state of the art, remain easy to use, and can be added to any automation architecture.

With SafetyBUS p, the first secure fieldbus system, and SafetyNET p, a secure real-time Ethernet, we have shapeREM615 HCMJAEADABC2BNN11E d the evolution of secure industrial communications. But the era of proprietary business solutions is over. We are fully committed to creating industry standards. This is a historic mission!

OPC UA

The industry has agreed on OPC UA (Open Platform Communications Unified Architecture) for secure, cross-vendor networking in industrial plants. This communication protocol provides a standardized (IEC 62541) interface for communication between different data sources in the industrial sector. As members of the OPC Foundation, Pilz employees actively participate in the Steering Committee and technical working groups of the Field Level Communications (FLC) Group. Pilz’s focus is on working groups dealing with safety issues (safety issues for OPC UA).

Of particular value is our expertise in the use of publisher/user technology (Pub/Sub) in relation to the requirements of the functionally safe fieldbus protocol. In contrast to the traditional master/slave structure, with Pub/Sub, data can be exchanged directly between users. This allows OPC UA to also be used for demanding distributed automation tasks. Pilz has special expertise in this area, as our SafetyNET p is the only secure, Ethernet-based fieldbus system that supports Pub/Sub from the start.

Our work on functional safety issues is progressing well. The team is working with the inspection machine