As usual, we have also published the article by Tim Ebeling, managing director of the SME lift measurement equipment manufacturer Henning, on our website. Max Mairle, Product Security Manager at TK Elevator, then used the comment function in lift-journal.com and contradicted various points of Ebeling's assessment. This then led to an exhaustive (and very objective!) online discussion between the two experts. This induced LIFTjournal to ask both for a discussion.
Mr Mairle, you gave your views in great detail on Mr Ebeling’s article on our website. What inspired you to do so?
Mairle: First of all, I’m pleased LIFTjournal has tackled this increasingly important topic. But I disagree on some points. As a member of the working group that is currently working on this standard, I didn't want to leave them uncommented.
Photo: © murrstock/123RF.comMr Ebeling, which points were in particular addressed in your exchange?
Ebeling: Apart from many points of agreement, we have different views on three points. On the one hand, I would like to see more technical than organisational requirements in such a standard. I understand Mr Mairle’s view that security in many regards also involves organisation. However, I see great problems in the information exchange required in the draft standard between operators, installers, maintenance service providers and component manufacturers for SMEs.
The parties mentioned normally aren’t aware or cannot even know what lifts they are jointly involved in. Therefore, I’d prefer an approach that relates the cyber security requirements to the finished lift and does not already intervene in the work processes of individual companies. I’m thinking here of the component manufacturers, for example, who would already have to consider these requirements before they begin developing a component.
I equally see great difficulties for SME installation and maintenance companies in dealing with lifts whose components have to meet the requirements of this cyber security standard. The mechanical replacement of one component would then result in additional, previously unknown work. This involves the system integration of new components, such as the replacement of software certificates, etc.
This would of course also have a massive influence on commissioning such a lift. In addition, it appears questionable to me whether open bus systems, such as CANopen DSP 417 in their current form would be in harmony with the draft of ISO 8102-20. They probably wouldn’t, since the CAN bus would have to possess encrypted communication (e.g. with software certificates).
However, the point most disputed between Mr Mairle and me is the so-called “secure zone”. This does not exist in ISO/DIS 8102-20, but does, for example, in the proposals of the North American NEII. In this concept, the “secure zone” is considered to be the actual lift (machine room, shaft) and the electronic access from outside as insecure. Consequently, only the components that form the interface to the outside need to be specially protected against attack. This would be a similar concept to functional safety- (functional) safety components would have to meet a particular SIL-level, but other systems components would not. This concept could be very readily realised in practice, which is why I prefer it.
Photo: © scyther5/123RF.comMr Mairle, why do you disagree with this argument?
Mairle: Product or cyber security is primarily an organisational task. Technical measures are undoubtedly necessary and are also required by the standard, but their selection has to be sensible, properly implemented and configured in order to be able to make a contribution to security.
The measures also have to be permanently reviewed and maintained, since otherwise every system sold must be regarded as outdated in security terms at the latest on the day of its installation and consequently as potentially insecure. All of this requires a functional system consisting of processes and cooperation of all parties that contribute to cyber security. Consequently, orienting the core of a cyber security standard to a ‘secure development life cycle’ only makes sense.
The fact that manufacturers of security-relevant components also have to guarantee the security of their products after sale, but do not necessarily know where and how their components are deployed, is not just a lift sector problem. Other sectors, such as IT, also face, or faced, similar challenges.
The solutions found can undoubtedly be adopted by our sector. If a company today uses security-relevant IT components, such as a network device, the manufacturer of the product normally doesn’t know anything about the operator or its specific use. If the manufacturer becomes aware of a vulnerability in its product, it publishes this ideally and announces corresponding recommended action. Either the operator itself or a third party commissioned by it monitors these published vulnerabilities to take suitable measures after their analysis.
As Mr Ebeling rightly notes, application of the standard will result in work steps and job profiles not previously common in our sector, also in maintenance or commissioning. If as a sector we want to provide products that are secure in cyber security terms, this will be unavoidable.
I consider the assumption of a “secure zone” covering the entire lift system, which only has to be protected against external threats, to be at least questionable. For example, later changes to a lift can result in additional interfaces to the heart of the system, which were not considered at the time of installation.
Moreover, direct physical access to installed components, depending on the lift, cannot be ruled out. A “defence in depth” concept admittedly continues to be identified as best practice, but can hardly be realised if the focus is purely on the interfaces to the outside world: if there is only one protective layer around the overall system, the whole system has to be regarded as compromised as soon as this one layer is no longer effective. Consequently, in my view, potential vulnerabilities and interfaces on the inside of the system can neither be neglected nor do they permit the assumption of a “secure zone”.
Does the fact play a role in your differing positions that you, Mr Mairle, take the view of a large group and you, Mr Ebeling, that of an SME/component manufacturer?
Mairle: Even if I work for a group, which offers the entire product range of our sector, from product development to lift maintenance, I don’t believe this has a major influence on my positions. It should at any rate be clear that the goal a new cyber security standard is to establish minimum standards to enhance the security of our passengers and staff on site and not the exclusion of market participants. To achieve this, the companies must change the way they have worked up to now in certain areas, irrespective of their size.
Ebeling: Apart from the technical requirements (which of course every component manufacturer should be able to meet), I certainly also consider the draft standard in terms of the effect that it will have on our market environment. If installers, maintenance companies and component manufacturers are united in one company, the organisational requirements mentioned are relatively easy to meet.
This is much more difficult for SMEs, since normally it involves dozens of parties. Admittedly, there is only one installer and one maintenance company each, but a large number of component manufacturers. Consequently, one department that is concerned with organising cyber security is not enough. In addition, they must coordinate with each other across companies. I regard the practical implementation of the organisational portion of the draft standard as very difficult for SMEs.
On what aspects do you then both agree?
Ebeling and Mairle: We both see that cyber security is important for lifts and will undoubtedly become even more important in future, the more functions are replaced by electronics and software instead of mechanical components. We have no doubt either that a cyber security standard will have a considerable influence on the way our sector operates in the future.
We also agree that one of the most important security measures will have to be to ensure that physical access to the lift hardware, whether electronic or mechanical, is ruled out as far as possible. And despite any discussions about the “secure zone”, we both see the greatest protective need of a lift to be against external threats.
How do things currently stand? Are there many objections to the draft?
Mairle: The national standard bodies could vote on the “Draft International Standard” from August to November last year. There was agreement of over 90 percent here. The comments made as part of this voting also demonstrated great interest in the subject of cyber security, but hardly any fundamental objections, let alone rejection.
Photo: © rawpixel/123RF.com/gremlin/iStock.comYou both regard the subject of cyber security as very important. How great do you consider the threat to be?
Mairle: Answering this question across the board is not possible, since an individual risk assessment depends on many factors. But there is not just one risk variety: a great deal is conceivable, from the effects on the availability or integrity of a lift and theft of intellectual property to effects on functional safety. Considered realistically, I consider the risk for an individual standard lift to be manageable.
It could be a different question if an attack is possible with essentially the same effort that can tackle many lifts simultaneously, in a scaled manner. Or if a particular lift is especially “valuable” for an attacker for some reason. For example, if important people are transported in it, access to especially sensitive building areas is possible via the lift or a lift is of especial interest due to technical peculiarities.
Ebeling: I share Mr Mairle’s view that the threat is currently still manageable, and I can also follow his examples for enhanced risks of cyber-attacks. On top of this, digitalisation of lifts is only just getting started, i.e. more and more interfaces are arising in lifts to the outside world and as a result the risk of this including inadequately protected interfaces is also increasing.
Tim Ebeling is the managing director of Henning GmbH & Co. KG and as a manufacturer also of digital components has a great interest in cyber security for lifts. He is a member of the Digitalization & Cyber Security Committee of the ELA in his capacity as member of the Board of Directors of the VFA-Interlift.
Max Mairle is Product Security Manager at TK Elevator and as a member of ISO/TC 178/WG 12 “Cybersecurity” involved in drawing up ISO 8102-20.
Ulrike Lotze asked the questions.
This is what it is all about: Part 20 of the ISO 8102 series on cyber security of lifts and escalators deals with the sector-specific application of the IEC 62443 standard series. By taking into account the different roles of companies within a sector, this standard series from the field of industrial cyber security pursues a holistic approach. Both technical as well as procedural requirements are posed. Currently, the FDIS draft of ISO 8102-20 is being prepared. Publication is planned for September of this year.
You can read the complete discussion between Tim Ebeling and Max Mairle on our homepage.
Write a comment