(Photo: © DALL.E / perfectpixelhunter_123RF / okapidesign)
December 2024
Cyber security has been playing a major role in the lift world for quite some time. Up to now, there was no lift-specific harmonised standard for cyber security. Many lift and component manufacturers are unsure how they should tackle this issue.
However, despite this uncertainty, there are ways for component manufacturers to prepare their portfolios for future additional regulatory requirements.
By Katrin Schwickal
What makes the issue of cyber security so complex? Cyber security is multifaceted and there are already countless non-binding documents, guidelines, directives and standards, etc. To mention just a few important documents: EU Cyber Resilience Act, ISO 27001, IEC 62443, ISO 8102 Part 20, BSI, MVO, AI Act...etc. Hence, assuming that requirements regarding cyber security are to become mandatory in future, the following questions arise: what is the first step and how can I prepare my portfolio for cyber security without knowing what requirements will apply?
There is of course no question either that people and processes will play a vital role. But the focus in this article is on the component that has to be protected before it is compromised, whether by mistake or intentionally.
IT or OT?: To be brief and very unspecific: IT is when it goes from one electronic device to another. OT is when it goes from one electronic device to a machine (with which people interact). In terms of content, there are many shared features but also important differences. If we are talking about lifts, the requirements refer to OT.Let us assume that cyber security is being analysed for an existing component and not for a completely new one. The regulatory basis for this analysis is the IEC 62443 standard series since it constitutes a very comprehensive regulatory code on OT security (see box IT or OT). In addition, it sections cover the product life cycle, taking various elements into account. A cyber security assessment for your own portfolio can thereby be made in several steps.
Step 1: List the manufactured components, including all versions, and then select a component with which the analysis begins.
Step 2: After this, you can use table B.2 from IEC 62443-4-2. Printing this out would make sense. The IEC series features seven foundational requirements. Work through all of these FRs, point by point.
Security Level (SL): SL describes the cyber security requirements for a component. A high SL must be selected to protect against highly capable and motivated attackers, a low SL suffices for the less skilled. The IEC 62443 series lists SL 1 to SL 4. ISO 8102-20 includes specific guidelines for the lift sector regarding which components have to meet which SL. If you want to consider an entire lift system instead of individual components, you can work with table B.2 of IEC 62443-3-3 for systems. This features system requirements (SRs) instead of CRs.The FRs consist of additional sub-points, the component requirements (CRs). Fulfilling a CR means you have also fulfilled a cyber security level (see box Security Level). CRs may include further requirement enhancements (RE), whose requirements have to be fulfilled if SL 2 to 4 have to/should be achieved.
Step 3: Using the table, the actual status of the component selected can be analysed. Having product specialists and programmers work through all requirements step by step can be helpful here. The two sides cannot always be familiar with each other's terminology but they can in this way quickly deliver well-founded results regarding pre-existing cyber security measures.
Harmonisation and certification: Every manufacturer can already have its products certified according to various cyber security standards in order to obtain official proof that its products are cyber secure.
Good to know: certification standards are only specified by accreditation bodies (e.g. DAKKS) for harmonised standards. Consequently, manufacturers should consider whether certification according to a standard that has not yet been harmonised makes sense for them. While IEC 62443 has in parts been harmonised and there are accredited bodies for this, certification can occur according to ISO 8102-20 according to standards set by the respective organisation itself, since the latter regulation has not been harmonised.Once the approximately 50 CRs have been compared with the features of the existing components, an initial statement can be made on what security levels are feasible in which CRs. If the status quo of current drafts becomes established, the SLs of ISO 8102-20 for lifts would be a good benchmark that should be met. In addition, this would facilitate an assessment of the effort for the unfulfilled open points.
What are the next steps? Analysing a component or an entire system does not mean the work is done but rather a potential first step. As already mentioned, processes and people are also an elementary constituent of cyber security. For example, IEC 62443-4-1 covers the life cycle requirements for safe product development. Manufacturers who want to get more involved with the subject have to document, establish and live the corresponding processes.
Irrespective of which regulations finally become established, this analysis will provide you with a good assessment of the cyber security of your components or system. In addition, you can in this way also determine the development costs you will face.
The author is Operational Excellence Manager at Riedl Aufzüge.
Digitalpaper
Write a comment