Safety of machinery - Relationship with ISO 12100 - Part 4: Guidance to machinery manufacturers for consideration of related IT-security (cyber security) aspects (ISO/TR 22100-4:2018)

This document gives machine manufacturers guidance on potential security aspects in relation to safety of machinery when putting a machine into service or placing on the market for the first time. It provides essential information to identify and address IT-security threats which can influence safety of machinery.
This document gives guidance but does not provide detailed specifications on how to address IT-security aspects which can influence safety of machinery.
This document does not address the bypass or defeat of risk reduction measures through physical manipulation.

Sicherheit von Maschinen - Zusammenhang mit ISO 12100 -Teil 4: Leitlinien für Maschinenhersteller zur Berücksichtigung der damit verbundenen IT-Sicherheits- (Cybersicherheits-) Aspekte (ISO/TR 22100 4:2018)

Dieses Dokument enthält eine Anleitung für Maschinenhersteller zu möglichen (IT-)Sicherheitsaspekten in Bezug auf die Sicherheit von Maschinen, zum Zeitpunkt wenn eine Maschine zum ersten Mal in Betrieb genommen oder in Verkehr gebracht wird. Es enthält wesentliche Informationen zur Identifizierung und Behandlung von IT Sicherheitsbedrohungen, die die Sicherheit von Maschinen beeinflussen können.
Dieses Dokument enthält Anleitungen, stellt jedoch keine genauen Festlegungen zur Behandlung von IT Sicherheitsaspekten zur Verfügung, die die Sicherheit von Maschinen beeinflussen können.
Dieses Dokument behandelt nicht das Umgehen oder Unwirksam machen von risikomindernden Maßnahmen durch physische Manipulation.

Sécurité des machines - Relation avec l'ISO 12100 - Partie 4: Titre manque (ISO/TR 22100-4:2018)

Varnost strojev - Povezava z ISO 12100 - 4. del: Navodilo proizvajalcem strojev za upoštevanje povezanih vidikov IT-varnosti (kibernetske varnosti) (ISO/TR 22100-4:2018)

General Information

Status
Published
Publication Date
07-Apr-2020
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Due Date
08-Apr-2020
Completion Date
08-Apr-2020

Buy Standard

Technical report
-TP CEN ISO/TR 22100-4:2021
English language
23 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST-TP CEN ISO/TR 22100-4:2021
01-februar-2021

Varnost strojev - Povezava z ISO 12100 - 4. del: Navodilo proizvajalcem strojev za

upoštevanje povezanih vidikov IT-varnosti (kibernetske varnosti) (ISO/TR 22100-
4:2018)

Safety of machinery - Relationship with ISO 12100 - Part 4: Guidance to machinery

manufacturers for consideration of related IT-security (cyber security) aspects (ISO/TR

22100-4:2018)
Sicherheit von Maschinen - Zusammenhang mit ISO 12100 - Teil 4: Leitlinien für
Maschinenhersteller zur Berücksichtigung der damit verbundenen IT-Sicherheits-
(Cybersicherheits-) Aspekte (ISO/TR 22100 4:2018)

Sécurité des machines - Relation avec l'ISO 12100 - Partie 4: Titre manque (ISO/TR

22100-4:2018)
Ta slovenski standard je istoveten z: CEN ISO/TR 22100-4:2020
ICS:
13.110 Varnost strojev Safety of machinery
SIST-TP CEN ISO/TR 22100-4:2021 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
---------------------- Page: 2 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
CEN ISO/TR 22100-4
TECHNICAL REPORT
RAPPORT TECHNIQUE
April 2020
TECHNISCHER BERICHT
ICS 13.110
English Version
Safety of machinery - Relationship with ISO 12100 - Part 4:
Guidance to machinery manufacturers for consideration of
related IT-security (cyber security) aspects (ISO/TR
22100-4:2018)
Sécurité des machines - Relation avec l'ISO 12100 -
Partie 4: Titre manque (ISO/TR 22100-4:2018)

This Technical Report was approved by CEN on 6 April 2020. It has been drawn up by the Technical Committee CEN/TC 114.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2020 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN ISO/TR 22100-4:2020 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
CEN ISO/TR 22100-4:2020 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
CEN ISO/TR 22100-4:2020 (E)
European foreword

The text of ISO/TR 22100-4:2018 has been prepared by Technical Committee ISO/TC 199 "Safety of

machinery” of the International Organization for Standardization (ISO) and has been taken over as

CEN ISO/TR 22100-4:2020 by Technical Committee CEN/TC 114 “Safety of machinery” the secretariat

of which is held by DIN.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

Endorsement notice

The text of ISO/TR 22100-4:2018 has been approved by CEN as CEN ISO/TR 22100-4:2020 without any

modification.
---------------------- Page: 5 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
---------------------- Page: 6 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
TECHNICAL ISO/TR
REPORT 22100-4
First edition
2018-12
Safety of machinery — Relationship
with ISO 12100 —
Part 4:
Guidance to machinery manufacturers
for consideration of related IT-security
(cyber security) aspects
Reference number
ISO/TR 22100-4:2018(E)
ISO 2018
---------------------- Page: 7 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 8 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 General characterization of safety of machinery versus IT-security .............................................................3

4.1 Principle objectives ............................................................................................................................................................................. 3

4.2 Different elements of risk .............................................................................................................................................................. 4

4.3 Consequences for risk assessment process ................................................................................................................... 5

5 Relationship to existing legal and standardization framework regarding safety of

machinery .................................................................................................................................................................................................................... 5

5.1 Legal framework .................................................................................................................................................................................... 5

5.2 Standardization framework – Relationship to ISO 12100 ................................................................................. 5

6 Relationship between safety of machinery and IT-security .................................................................................... 5

7 Essential steps to address IT-security over the whole life cycle of the machine ................................7

8 Generic guidance for assessing IT-security threats regarding their possible

influence on safety of machinery ........................................................................................................................................................ 8

9 Roles to address IT-security issues with possible relevance to safety of machinery ....................9

10 Guidance for machine manufacturers to address IT-security issues with possible

relevance to safety of machinery ......................................................................................................................................................11

10.1 General ........................................................................................................................................................................................................11

10.2 Selection of appropriate components (hardware/software) ......................................................................11

10.3 Appropriate machine design ....................................................................................................................................................12

10.4 Instruction handbook (guidance to the machine user) ....................................................................................12

Annex A (informative) Example of a legal framework.....................................................................................................................14

Bibliography .............................................................................................................................................................................................................................15

© ISO 2018 – All rights reserved iii
---------------------- Page: 9 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso

.org/iso/foreword .html.

This document was prepared by Technical Committee ISO/TC 199, Safety of machinery.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
A list of all parts in the ISO 22100 series can be found on the ISO website.
iv © ISO 2018 – All rights reserved
---------------------- Page: 10 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)
Introduction

Internet, digital services and technology are important enablers for smart manufacturing, which is one

part of internet of things (IoT) (see ISO/IEC 20924). For the manufacturing environment, the foundations

are vertical networking and horizontal integration across the entire value chain, convergence of

design, ordering, delivery and manufacturing capabilities. This results in the transformation of

conventional value chains and the emergence of new business models. Smart products based on smart

manufacturing know many details on how they were made, their performance and how they are being

used. The physical product is linked to its digital representation, and the digital content depends on

lifecycle phase. Implementing smart manufacturing creates an efficient and highly responsive package

by leveraging existing manufacturing systems, as well as technological and economic potential. Smart

manufacturing increases the vulnerabilities of machinery to IT-security threats.

Smart manufacturing leads to the emergence of dynamic, real-time optimized, self-organizing value

chains. An appropriate regulatory framework is therefore necessary, as well as standardized interfaces

and harmonized business processes. Smart manufacturing is characterized by:
a) increased product flexibility;
b) new intrinsic built-in product properties;
c) flexible work organization;
d) changed scale (up to a lot size 1) and location of manufacturing.

For smart manufacturing, the description of the network infrastructure needs to be further expanded

to enable privacy, self-configuration and ease of use. Therefore, there is a need for fast available, robust

and secure communication networks.

The primary purpose of this document is to address aspects on safety of machinery that can be

affected by IT-security attacks related to the direct or remote access to, and manipulation of, a safety-

related control system(s) by persons for intentional abuse (unintended uses). IT-security attacks are

increasingly becoming a potential threat to the safety of machinery. Although intentional abuse falls

outside the scope of ISO 12100 and the (safety-related) risk assessment process, it is reasonable also for

machinery manufacturers to consider such threats.

Current technologies enable machinery to be monitored and/or improved regarding their performance

remotely by adjusting parameters without having to be on site at the machine. This ability provides

considerable benefits as machinery can be kept operating without the downtime and associated costs

of a field service person making a service call.

However, this same capability to adjust machine parameters to improve performance lends itself to the

possibility for persons with nefarious or criminal intent to make adjustments that can put workers and

others at risk of harm. For example, speeds or forces can be adjusted to dangerous levels, temperatures

can be lowered below a kill step level resulting in food contamination, or error codes or messages can

be erased or falsified.

Human error can have little relation to IT-security in its strict sense. Those unintentional influences

(reasonably foreseeable human error when adjusting parameters of the machine or its control system)

are already covered within the normal (safety-related) risk assessment and the resulting inherently

safe design of the control system (see ISO 12100:2010, 6.2.11.1).
© ISO 2018 – All rights reserved v
---------------------- Page: 11 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
---------------------- Page: 12 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
TECHNICAL REPORT ISO/TR 22100-4:2018(E)
Safety of machinery — Relationship with ISO 12100 —
Part 4:
Guidance to machinery manufacturers for consideration of
related IT-security (cyber security) aspects
1 Scope

This document gives machine manufacturers guidance on potential security aspects in relation to

safety of machinery when putting a machine into service or placing on the market for the first time. It

provides essential information to identify and address IT-security threats which can influence safety of

machinery.

This document gives guidance but does not provide detailed specifications on how to address IT-

security aspects which can influence safety of machinery.

This document does not address the bypass or defeat of risk reduction measures through physical

manipulation.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 12100 and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
3.1
antivirus tool

software used to detect malicious code, prevent it from infecting a system, and remove malicious code

that has infected the system
3.2
attack

attempt to gain unauthorized access to system services, resources, or information

[SOURCE: CNSSI-4009, modified — “.., or an attempt to compromise system integrity, availability, or

confidentiality” has been deleted at the end of the definition.]
© ISO 2018 – All rights reserved 1
---------------------- Page: 13 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)
3.3
authentication

verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources

in an information system
[SOURCE: NIST SP 800-53]
3.4
authorization

right or permission that is granted to a system entity to access a system resource

[SOURCE: RFC 4949]
3.5
confidentiality

preserving authorized restrictions on, and preventing unauthorized access (3.18) to information

3.6
encryption

transformation of data into a form that conceals the data’s original meaning to prevent it from being

known or used

Note 1 to entry: If the transformation is reversible, the corresponding reversal process is called “decryption,”

which is a transformation that restores encrypted data to its original state.

[SOURCE: RFC 4949, modified — The word “cryptographic” has been deleted before “transformation

of data” and “(called “plaintext”)” deleted afterwards; “(called “ciphertext”)” has been deleted after

“form”. The second sentence has been moved to Note 1 to entry.]
3.7
firewall

software that restricts data communication traffic between two connected networks.

Note 1 to entry: It is also common to name specific hardware in which the software runs a firewall.

3.8
integrator

entity who designs, provides, manufactures or assembles an integrated manufacturing system and is in

charge of the safety strategy, including the protective measures, control interfaces and interconnections

of the control system

Note 1 to entry: The integrator can be a manufacturer, assembler, engineering company or the user.

[SOURCE: ISO 11161:2007, 3.10]
3.9
integrity

condition of guarding against improper modification or destruction of information

3.10
IT-security
Information Technology security
cyber security

protection of an IT-system from the attack (3.2) or damage to its hardware, software or information, as

well as from disruption or misdirection of the services it provides
3.11
IT-security incident

occurrence that actually or potentially jeopardizes the confidentiality (3.5), integrity (3.9), or availability

of an IT-system
2 © ISO 2018 – All rights reserved
---------------------- Page: 14 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)
3.12
machine control system

system which responds to input signals from parts of machine elements, operators, external control

equipment or any combination of these and generates output signals causing the machine to behave in

the intended manner

Note 1 to entry: The machine control system can use any technology or any combination of different technologies

(e.g. electrical/electronic, hydraulic, pneumatic, mechanical).
[SOURCE: ISO 13849-1:2015, 3.1.32]
3.13
password

string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify

access authorization (3.4)
3.14
remote access

access by users (or information systems) communicating external to an information system security

perimeter
[SOURCE: NIST SP 800-53]
3.15
risk reduction measure
protective measure
action or means to eliminate hazards or reduce risks
[SOURCE: ISO/IEC Guide 51:2014, 3.13]
3.16
smart manufacturing

manufacturing that improves its performance aspects with integrated and intelligent use of processes

and resources in cyber, physical and human spheres to create and deliver products and services, which

also collaborates with other domains within enterprises’ value chains

Note 1 to entry: Performance aspects include agility, efficiency, safety, security, sustainability or any other

performance indicators identified by the enterprise.

Note 2 to entry: In addition to manufacturing, other enterprise domains can include engineering, logistics,

marketing, procurement, sales or any other domains identified by the enterprise.
3.17
threat

any IT-security incident (3.11) with the potential to adversely impact machinery operations

3.18
unauthorized access

any logical or physical access which is not intended by the owner of an IT-system

3.19
vulnerability

weakness in the security of an IT-system that can be exploited or triggered by a threat (3.17)

4 General characterization of safety of machinery versus IT-security
4.1 Principle objectives

The principle objectives and conditions of IT-security are very much different from machinery safety,

see Table 1.
© ISO 2018 – All rights reserved 3
---------------------- Page: 15 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)
Table 1 — Principle objectives
Safety of machinery IT-Security
(cyber security)

Objectives injury/accident prevention, health availability, integrity, confidentiality

(avoidance of harm)
Conditions transparent (obvious) not obvious (not shared with machin-
(risks, methods, measures) ery user)
Dynamics rather static field (intended use, highly dynamic field; moving target
reasonable foreseeable misuse) (intentional manipulation, criminal
intent)

Risk reduction (mitigation) mainly by machine manufacturer by various actors (machine manu-

measures at a dedicated time (when provid- facturer, integrator, machine user,
ing the machine for the first use) service provider) at any time along the
overall life cycle
4.2 Different elements of risk
The elements of risk regarding safety are characterized as given in Figure 1.

Figure 1 — Elements of risk related to safety of machinery (see ISO 12100:2010, Figure 3)

Regarding IT-security the elements of risk are different and can be characterized according to Figure 2

as follows:
Figure 2 — Elements of risk related to IT-security
4 © ISO 2018 – All rights reserved
---------------------- Page: 16 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)
4.3 Consequences for risk assessment process

Based on the differences shown in 4.2, risk assessment regarding safety of machinery which is

prescribed in ISO 12100:2010, Clause 5 has to be distinguished clearly from a risk assessment regarding

IT-security.

An example regarding IT-security risk assessment for industrial automation and control systems is

given in IEC 62443-3-2:— , Clause 5.
5 Relationship to existing legal and standardization framework regarding safety
of machinery
5.1 Legal framework

Legal frameworks for putting a machine into service or placing it on the market for the first time

(responsibility of the machine manufacturers) and ISO 12100 restrict the scope of safety of machinery

to the “intended use” and the “reasonably foreseeable misuse” of a machine. Every kind of intentional

violation (sabotage/spying) of a machine is de facto a criminal act which is outside the scope of current

safety legislation. Consequently, it is also out of the scope of standardization for safety of machinery,

which supports such legislation. For an example, see Annex A.
5.2 Standardization framework – Relationship to ISO 12100

In line with local/regional legal framework for putting machinery into service or placing on the market

for the first time, ISO 12100 does not explicitly address IT-security attacks and/or threats which are

categorized as intentional abuse and criminal acts.

The determination of the limits of the machinery as part of the strategy for risk assessment and

risk reduction in ISO 12100 only considers the intended use and any reasonably foreseeable misuse

(see ISO 12100:2010, Clause 4). IT-security attacks and/or threats from outside and possible safety

implications (via vulnerabilities of the machine control system or other electronic parts) are not

considered as reasonably foreseeable misuse.

However, manufacturers providing machinery which can have vulnerabilities to IT-security attacks

and/or threats should take this aspect into account in particular when IT-security attacks and/or

threats can have an impact to safety of machinery.
6 Relationship between safety of machinery and IT-security

The relationship between safety of machinery and IT-security is shown in Figure 3.

1) Currently available as draft document IEC 65/690/CDV:2018.
© ISO 2018 – All rights reserved 5
---------------------- Page: 17 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)
Figure 3 — Relationship between safety of machinery and IT-security

Resulting from 4.3 and Figure 3, the safety risk assessment for a machine according to ISO 12100

should be made in advance of any IT-security risk considerations. The resulting inherently safe design

measures, and safeguarding and risk reduction measures, of a machine should then be analysed

regarding possible vulnerabilities against IT-security threats.

Resulting IT-security risks can then be mitigated through the combined efforts of component suppliers,

the machinery manufacturer, the integrator, and the machinery user. In general, the potential responses

to security risks should apply the following hierarchy based on ISO 12100:
a) eliminate the security risk by design (avoid vulnerabilities);

b) mitigate the security risk by risk reduction (mitigation) measures (limit vulnerabilities);

c) provide information about the residual security risk and the measures to be adapted by the user.

NOTE The comparable term to “risk mitigation” is the term “risk reduction” used in safety of machinery.

Those vulnerabilities against IT-security attacks (threats) depend heavily on whether a machine can be

connected to an external IT-system and how often this happens. Answering the following questions can

help limit or restrict IT-security threats and vulnerabilities.
1) Does it need to be connected?
2) Does it need to be connected at all times (continuously)?
6 © ISO 2018 – All rights reserved
---------------------- Page: 18 ----------------------
SIST-TP CEN ISO/TR 22100-4:2021
ISO/TR 22100-4:2018(E)

3) Is the connection monitored [e.g. using a virtual private network (VPN) system]?

4) Is the connection configurable (e.g. access for authorized persons only)?

5) Can the connection be restricted to "read only" mode (without ability to change)?

Consequently, a machine without any direct or indirect interface to external IT-systems can be

considered as not vulnerable to IT-security attacks.

7 Essential steps to address IT-security over the whole life cycle of the machine

IT-security threats and vulnerabilities require cooperation and coordination between the component

suppliers, the machinery manufacturer, the integrator, and the machinery user. Each has a role to play

in preventing IT-security attacks throughout the phases of the lifecycle of the machinery. No party can

assign to another the responsibility for IT-security, or assume that another is fully responsible for IT-

security. At the same time, no party has all of the required information available to effectively address

IT-security threats and vulnerabilities throughout the phases of the lifecycle of the machinery.

Component suppliers, the machinery manufacturer, the integrator, and the machinery end user

should each use the essential elements to evaluate its system(s). Part of the evaluation should include

communicating to the other parties the threats and vulnerabilities which it cannot fully address alone

or which have implications to the other parties. For example, a machine manufacturer cannot prevent

entirely an IT-security threat if the machinery user connects the machine to the connected world via its

communication or networked system. The machinery manufacturer should inform the machinery user

of the preferred communications method(s) in order to minimize potential attacks.

Essential steps for providing effective IT-security should be considered by machinery manufacturers

and integrators. This should be done as far as possible in the context of the machinery user's actual or

expected IT-infrastructure.

The following five steps should enable machinery manufacturers and integrators – regardless of size,

degree of IT-security threats, or sophistication – to apply the principles and best practices to improving

the security and resilience of machinery.
a) Identify – What are the IT-security threats and vulnerabilities?
— Why would an entity attack the machine control system?
— What does the machine user have that is valuable?
— What are the vulnera
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.