Cybersecurity, today, is the safety of people
What changes for manufacturers and users under the Machinery Regulation 2023/1230
OT Cybersecurity and the Machinery Regulation (EU) 2023/1230
When an IT system is compromised in an office, the consequences remain digital. When the same kind of attack hits the control system of an industrial machine, the consequences leave the screen: they can disable safety functions, trigger dangerous movements, block emergency stops.
OT cybersecurity, which concerns the operating systems of plants, the PLCs, the field networks and the remote connections, has a direct impact on the physical safety of the people who work with those machines. The Machinery Regulation (EU) 2023/1230 has formalised this link, introducing for the first time specific requirements on the protection of software, control systems and critical data.
The perimeter of the machine has widened
The Machinery Directive 2006/42/EC was conceived for mechanical and electromechanical machinery. The text contained no explicit references to software, connectivity, artificial intelligence or cybersecurity. For twenty years, that part of the risk remained in a grey area.
The Machinery Regulation (EU) 2023/1230, which will apply from 20 January 2027, fills this gap. Embedded software, OT networks, remote access: the Regulation treats them as machine components in every respect, with the related design and safety obligations.
The new EHSR 1.1.9, Protection against corruption, states that machinery must be designed and constructed so that connections and remote access cannot allow the alteration of safety functions or the generation of hazardous situations. The requirement covers three distinct areas:
- Software
- Hardware components
- Critical data
SAFETY and SECURITY: two distinct concepts
In industrial machinery with digital components and connectivity, functional risks (safety) and cyber risks (security) can no longer be managed as separate domains.
Unauthorised access, a configuration change or an uncontrolled software update can affect the behaviour of the machine and therefore the safety of operators.
In Regulation (EU) 2023/1230, safety and security converge.
Safety
What it protects: Operators from the hazards arising from the operation of machinery.
Reference: Regulation (EU) 2023/1230.
Examples: Guards, barriers, emergency stop.
Type of measure: Physical and/or electronic.
Security
What it protects: Machinery and data from tampering and unauthorised access.
Reference: Cyber Resilience Act (EU) 2024/2847.
Examples: Authentication, encryption, firmware updates.
Type of measure: Technical and procedural.
Security
What it protects: Machinery and data from tampering and unauthorised access.
Reference: Cyber Resilience Act (EU) 2024/2847.
Examples: Authentication, encryption, firmware updates.
Type of measure: Technical and procedural.
Safety
What it protects: Operators from the hazards arising from the operation of machinery.
Reference: Regulation (EU) 2023/1230.
Examples: Guards, barriers, emergency stop.
Type of measure: Physical and/or electronic.
In other words, from 2027 it will not be enough to design a machine that is safe from a mechanical, electrical or functional point of view. It will be necessary to demonstrate that software, networks, connected devices and digital access cannot compromise the safety functions provided for by the design.
A machine may comply with the traditional safety requirements, but if it is vulnerable to IT manipulation that alters functions, parameters or control logic, the overall level of safety is compromised. The protection of people and the protection of digital systems thus become parts of the same risk management process.
The other novelties of the Regulation concerning software
The Regulation addresses the software theme more broadly.
EHSR 1.2.1, Safety and reliability of control systems
It requires control systems to be designed in a safe and reliable manner, including those that integrate evolving software or artificial intelligence.
Changes in the behaviour of the machine, even generated by self-adaptive systems, must be managed so as not to generate hazardous situations.
Substantial modification
The Regulation introduces a clear definition for the first time.
A modification is substantial when it affects the safety of the machine by creating a new hazard or increasing an existing risk.
The novelty compared to the Directive is explicit: the modification may occur “by physical or digital means”. A software update that alters the behaviour of the safety system falls within this definition.
Software as a safety component (Annex II)
In Annex II of the Regulation, the list of safety components, software that ensures safety functions appears for the first time. Software of this kind, if placed on the market separately, will have to be CE marked and accompanied by an EU declaration of conformity and instructions for use.
The same obligation applies to safety components with self-evolving behaviour based on machine learning.
How we handle this part
The digitalisation of machinery has made OT cybersecurity an integral part of risk assessment. This means addressing the cybersecurity aspects relevant to the safety of people and to the regulatory compliance of the machine.
Our approach is calibrated on the real perimeter of the plant and on the applicable requirements. We keep the focus on the OT systems of the machine, away from IT activities that are not pertinent.
The services we offer on this front:
- OT system cybersecurity assessment (OT Assessment) / Preliminary analysis of the OT architecture, identification of the relevant perimeter and of the critical points against regulatory requirements.
- Cyber Compliance CE / Verification of the cybersecurity requirements applicable to CE marking under the Machinery Regulation (EU) 2023/1230.
- Cyber Compliance CE Advanced / Extension of the analysis to the entire OT system beyond the minimum CE requirements.
- Security Level determination to IEC 62443 / Assessment of the security level of the OT systems according to the international reference standard for industrial cybersecurity.