Industrial Cyber Security: Cyber security in manufacturing

The Cyber Resilience Act (CRA) aims to protect connected products from unauthorized access and manipulation throughout their lifecycle. It applies to manufacturers as well as suppliers and importers of products with digital elements that are sold in the EU. In the B2B sector, numerous components for industrial, environmental and energy technology are affected by this regulation, for example sensors, control systems, software and hardware products with a direct or indirect data connection to another device or network.

The CRA requires vendors of digital products destined for industrial use to assess, implement, and verify cyber security in a structured, risk-based manner at all stages of the value chain. That, in turn, requires a secure engineering process, comprehensible instructions, machine-readable software bills of materials (SBOMs), risk analytics, and vulnerability management throughout the lifecycle. If vendors’ offerings fall short of these requirements, the CE mark and thus the access to the European market will be denied. In addition, rectification, product recalls or fines may be imposed.

Do you make a product equipped with digital components? Then talk to us. We will be delighted to advise you on how to comply with the CRA in the best and most pragmatic of ways. We would be equally happy to handle the cyber security side of product engineering for you. Count on us to deliver results that satisfy regulatory provisions and comply with standards such as the internationally recognized IEC 62443.

The NIS 2 directive is a broadened initiative to strengthen the security of networks and information systems within the European single market. Companies that operate in “essential and important facilities” in critical sectors such as mechanical engineering, energy, health, and food are subject to this directive. It can also apply to vendors of automation solutions, controllers, and sensors used by systems and machinery manufacturers.

NIS 2 requires a structured approach to cyber security for IT/OT operations and sets out measures to prevent or minimize the impact of security incidents. Companies that are subject to it must increase their protection against cyber attacks, comply with specific security standards, and keep their systems up to date.

Is your organization subject to the NIS 2 directive? We will gladly advise you on the best strategy and practices for complying with NIS 2 together with the national requirements and standards of ISO 27001. The first step is a cyber security check-up, for example, based on DIN SPEC 27076.

The EU RED Delegated Act for Cybersecurity (RED DA) applies to all manufacturers of products with radio interfaces (e.g. WiFi, Bluetooth, radar, …) or of products that have such interfaces permanently installed. The RED DA places additional requirements on the cyber security of these products.

According to RED, wirelessly networked machines such as control systems and robots in production must be adequately protected against hacker attacks, both for their own protection and to protect neighboring networks. In addition, there must be no operational interruptions due to cyber attacks. The new EN 18031 standard sheds light on what can be considered appropriate in this context. Radio products that have not been developed in compliance with RED may no longer receive CE labeling and therefore may no longer be marketed in the EU.

Do you fall under the RED DA? If so, we will be happy to advise you on how you can pragmatically implement the RED requirements.