New cyber security regulations put companies to work

Instrumentation and component suppliers are faced with stricter regulations regarding cyber security. For example, the Radio Equipment Directive will be expanded with new guidelines on 1 August 2024. But customers are also placing increasingly higher demands on their suppliers in the field of cyber security. The impact of the new regulations was discussed during a theme meeting of the Industrial Automation sector. Because there is work to be done for many companies to comply with all the new rules.

By: Dimitri Reijerman

The opening story was by Bart Scholten (KIWA). He described the requirements that the Radio Equipment Directive sets for wireless equipment and highlighted a number of cases in which hackers managed to cause damage. Certification, such as that carried out by KIWA and TÜV NORD Nederland, can help companies to take their security to a higher level and to make electronics comply with the new guidelines that will come into effect next year.

Scholten also showed a fictitious hack attempt in an ldemo. This example illustrated once again how weaknesses in the security of products can be actively abused. One of the requirements that will be imposed by the EU is that universal passwords may not be used and that the developer must offer firmware updates. The importance of the IEC 62443-4-1 & 4-2 standards, in which a third independent party carries out the certification, was also touched upon. And then the controversial Cyber Resilience Act, also drawn up to increase the security of software, still has to be approved by the EU.

Chris van den Hooven of Hudson Cybertec also spoke about the usefulness of certification for OT environments. For example, requirements around certification are already included in tenders or explicitly required by a client, whereby the IEC 62443 standards apply.

Maturity levels

Van der Hooven also discussed the upcoming NIS2 directive – which includes a duty of care and reporting obligation. He also discussed the so-called 'maturity levels' within IEC 62443. These levels indicate which processes are optimized for a good level of security. It is important that companies start setting up a cybersecure development process.

Bas van Hertom of TÜV NORD Nederland delved even deeper into the subject of 'maturity levels'. To reach level 3 or even level 4, close cooperation is needed between system integrators, asset owners and maintenance providers. According to Van Hertom, it is important for manufacturers to anticipate the upcoming regulations now, also because the product development processes are becoming longer.

Siemens is setting an example in the Industrial Automation landscape by being the first to achieve level 4. Ruud Welschen of Siemens described how the group has put cyber security higher and higher on the agenda and has a dedicated team that inventories almost all current threats – recorded in so-called CVEs – and actively shares them with the sector.

After the various presentations, a lively discussion arose. Some companies fear that the costs of certification and other necessary steps could increase considerably. Small companies in particular could find it difficult. In addition, some guidelines are formulated too vaguely in the eyes of some producers, which could lead to ambiguities and differences in interpretation. The future will show how these issues will develop, but it is clear that companies must take steps to comply with the new guidelines.