What the Cyber Resilience Act means for automation
Measures taken by KEB Automation to enhance cybersecurity
In the modern world of manufacturing, components with digital elements have long been indispensable. This brings with it many advantages, such as the smart use of existing machine data. At the same time, however, it is becoming increasingly important to rigorously assess the cybersecurity of products and processes. Against this backdrop, the European Union (EU) has, for the first time, established a legal framework for cybersecurity with the Cyber Resilience Act (CRA). What does this mean for KEB as a supplier of automation and drive technology? And what lies ahead for plant and machine engineering?
On 11 December 2027, the time will have come: the Cyber Resilience Act will come into full effect across the entire EU. Having entered into force in December 2024, the regulation aims to ensure that networked products are developed securely from the outset and receive relevant security updates throughout their entire lifecycle. This is a response to the fact that more and more devices and processes are operating online and in networks, thereby increasing vulnerability to potential cyberattacks. The CRA is part of the European cybersecurity strategy and targets a wide range of digital products: from control systems and drive controllers to HMI panels and machinery.
For electrical drive and automation technology, this means: products are designed, developed and manufactured in accordance with the CRA’s fundamental cybersecurity requirements. All digital products may only be placed on the market if they have no known, exploitable vulnerabilities. Furthermore, actively exploited vulnerabilities and serious security incidents must be reported to the relevant authorities.
KEB is taking these measures
In automation technology in particular, systems are highly networked – from intelligent sensors or actuators right through to the cloud. And this has implications for requirements regarding security, integrity and availability for manufacturers, operators and system integrators alike. As a manufacturer of electrical drive and automation technology and networked components, KEB Automation bears direct responsibility for the cyber resilience of its products. “We have carried out an assessment of the cybersecurity risks for our products based on their intended use. On this basis, risk mitigation measures are defined and implemented. To significantly reduce the attack surface for potential cyberattacks on our products, the fundamental principles of ‘secure by design’ and ‘secure by default’ must be applied,” says Stephan Musiolik, Head of Electronics Development (Safety & Security) at KEB. KEB initiated a company-wide programme at an early stage to meet all the regulatory and technical requirements of the CRA. The aim: the sustainable integration of cybersecurity within the company. Specific measures include the creation of internal guidelines for information and product cybersecurity, the establishment of a Security Office with representatives from development, quality assurance and IT security, and the integration of cybersecurity into the existing quality management system.
An information security management process in accordance with ISO 27001 has been established for the entire group. A secure product lifecycle management process, including vulnerability assessment, patch management and information procedures based on IEC 62443-4-1, has also been introduced. The supply chain has also been taken into account. Consequently, suppliers of components containing digital elements are integrated into KEB’s Secure Product Lifecycle Management process. A Product Security Incident Response Team (PSIRT) has been established to receive vulnerability reports and publish advisories; vulnerabilities can be reported to this team.
Impact on mechanical engineering
All these measures have practical relevance for plant and machine engineering, as digital components are found in every modern machine. Consequently, in future, machine builders must ensure digital security in addition to mechanical and functional safety – including updates, vulnerability management and risk analyses. In doing so, they benefit from the fact that manufacturers such as KEB place great emphasis on compliance with cybersecurity requirements. Clear and comprehensible documentation of security features and vulnerability management ensures a high degree of transparency for plant and machine engineering. As cybersecurity is understood as an integral part of the product lifecycle, continuous improvements are to be expected. Furthermore, users benefit from the fact that KEB provides drive and automation components designed to meet the requirements of the CRA. Thus, compliance with the CRA requirements can be seen as an important contribution to greater cybersecurity in today’s interconnected world.