Machinery Regulation, Cyber Resilience Act (CRA) and IEC 62443

Against the background outlined above, the central question now arises: Where does the classic mechanical engineer fit into this role model of IEC 62443? Are they a component manufacturer, a system integrator – or both? And should their machines be treated as products or as systems within the meaning of the standard?

Anyone who takes a closer look at IEC 62443 will quickly come to the conclusion that the series of standards was not primarily developed for machine builders. They play a somewhat mixed role in this context, as they build and deliver complex technical systems, but often act as product suppliers:

• A standard machine manufacturer who sells a machine (or machine system) as a series-ready product to many different customers without customising each individual installation on site behaves largely like a product manufacturer. They develop the machine at their own risk, install standardised components (PLC, drives, HMI, etc.) and deliver a finished machine to the customer, who then commissions it themselves. In IEC 62443 terms, this largely corresponds to the role of the product manufacturer, except that the ‘product’ delivered here is not a single device, but a machine consisting of many parts. In this case, the machine manufacturer assumes responsibility for the safe design of the machine as a whole, similar to how a component manufacturer is responsible for its device. During development, they usually have no direct contact with the future operator, apart from general market requirements.
• A special machine manufacturer, on the other hand, who designs a tailor-made plant or production line in close consultation with an individual customer, also acts as an integration service provider. They design and build a unique solution with a specific design for the customer and, if necessary, integrate existing customer systems or requirements. Here, the activity largely corresponds to the role of the system integrator. The machine manufacturer works with the operator to define and implement the safety requirements for this specific system. The perspectives of the operator and the integrator thus converge. In such cases, the machine manufacturer can certainly be regarded as an integrator within the meaning of IEC 62443. However, as described above, this classification should not be viewed as absolute, but rather as falling more within the scope of the integrator on the manufacturer -> integrator spectrum, which does not mean that certain aspects of the manufacturer role according to IEC 62443 are not still relevant.

Component or solution approach? In terms of safety, a single machine cannot be categorised unequivocally as a mere component or a fully-fledged IACS solution – it depends on the size and complexity of the machine. Here are a few examples to help with classification:

• A compact standard machine with only one control system and a few sensor/actuator assemblies could theoretically be considered a complex component. However, the IEC 62443-4-2 requirements for components only apply to a limited extent here, as they typically apply to individual devices (e.g. requirements for a single control system or communication device). However, the machine consists of several components and fulfils a function as a whole.
• Many machines – especially more complex production machines or plant modules – are better understood as stand-alone systems. They often have an internal network, multiple control units, operating stations, etc., and are essentially small automation systems. The technical system requirements from IEC 62443-3-3 would be more relevant here, as they cover security aspects of an entire solution (e.g. user management, logging, network segmentation, whitelisting, etc.). In practice, however, it has been shown that not all requirements of IEC 62443-3-3 can be applied directly to a single machine on a one-to-one basis. For this purpose, IEC 62443-3-3 (as well as IEC 62443-4-2) provides for the concept of ‘compensating countermeasures’. This concept allows external measures to be used to fulfil the requirements for the system/product in justifiable cases. From this perspective, requirements of IEC 62443-3-3, such as the requirement for centralised user management or shared log servers for the entire system at higher security levels – provided that an isolated machine may not be able to or required to provide these functions in full – can also be met by an external service (e.g. a higher-level system) via an interface.
   

IEC 62443 does not explicitly address machine builders, and there are grey areas. Depending on the scenario, a machine manufacturer can therefore act as both a manufacturer and an integrator – and its machine can be viewed as both a product and a system. In case of doubt, however, the classification tends to lean towards the system perspective. A machine consists of several IACS components and behaves like a small industrial automation system, so that consideration in accordance with IEC 62443-3-3 (system requirements) is obvious. For the machine manufacturer, this means that they should provide system-wide security functions wherever possible (e.g. user and rights management, network segmentation within the machine, hardening of all embedded components, etc.), as required for an IACS system. At the same time, they must also ensure that the individual components installed (controllers, HMIs, routers, etc.) have sufficient security features – ideally developed in accordance with IEC 62443-4-2 or similar standards.

From a process perspective, the applicable IEC 62443 standards depend on the type of business. A manufacturer who develops products and manufactures them in series should above all establish a secure development process in accordance with IEC 62443-4-1. An integrator/plant manufacturer who designs customer-specific projects should rather take into account the requirements for secure integration services in accordance with IEC 62443-2-4. In reality, many mechanical engineering companies will wear both hats: special machine builders in particular need both a secure development process (IEC 62443-4-1) and competent integration practices (IEC 62443-2-4) to ensure security by design. Standard machine manufacturers will primarily implement the Secure Development Lifecycle (SDL) in accordance with IEC 62443-4-1, but can also benefit from integration guidelines – for example, when commissioning their machines at customer sites or offering services.
In order to meet the basic requirements of the Cyber Resilience Act, it remains to be seen which standards will be included by the EU Commission as harmonised EU standards in the Official Journal of the European Union in accordance with the Cyber Resilience Act or the Machinery Regulation. The latter in particular should then contain specific recommendations for action for regulated products, e.g. machines. Due to the broad acceptance of IEC 62443, it can be assumed that the EU standards will not reinvent the world of security, but will be based on the basic concepts of these standards.

For manufacturers of machinery, this means that, in the absence of harmonised EU standards, they will find it difficult to avoid dealing with the requirements of the respective parts of IEC 62443 in order to ensure that their product development is already at the state of the art (in terms of security). For the future of the standards landscape, it is to be hoped that the harmonised standards will be aligned with the legal requirements in order to leave behind the laborious and potentially costly interim situations that we are experiencing in mechanical engineering with regard to IEC 62443 and that the convenience of appropriate harmonised standards, which is well known in the safety world but sometimes underestimated, will also find its way into practice as quickly as possible in the security sector.