Industrial Security

Protecting safety functions on machinery and plants from attacks

USB flash drive with case removed

Tampered USB stick as a gateway enables attacks on industrial control systems
 Source: IFA

Functional safety components protect life and health when working on plants and machinery. For instance, a safety locking function can prevent a safety gate to a hazardous zone of a plant or machine from being opened. To ensure that safety functions of control systems are reliable, the control system itself must also be secure, i.e. protected against tampering.

Safety components must therefore be

  • adapted to their technical environments (networks, interfaces, communication protocols, etc.),
  • protected against tampering and
  • protected against attacks.

The annual State of IT Security Report of the German Federal Office for Information Security (BSI) shows how frequently specific attacs have been observed. The reports describe, for example, attacks on industrial controls capable of putting a blast furnace in a steel plant out of control or instances where a safety control system was hijacked in a chemical plant.

Protection against attacks is therefore imperative, especially for functional safety components.

The DGUV works towards an effective improvement of this situation in a number of different areas:

  • The Institute for Occupational Safety and Health (IFA) trains Social Accident Insurance Institutions, raises security awareness through practical demonstrations of attacks and develops solutions.
  • A working group of the DGUV Test Department has worked with the test laboratories of Social Accident Insurance Institutions and the IFA, drawing up a test principle for security in industrial control systems based on the IEC ISO 62443 standard.
  • The IFA also provides further information on the latest safety and security warnings for supervisors, manufacturers and insured companies.

Security Regulations

Machinery Regulation: Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery and repealing Directive 2006/42/EC of the European Parliament and of the Council and Council Directive 73/361/EEC

Cybersecurity Act
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013

NIS Directive
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union

NIS 2 Directive
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148

Cyber Resilience Act
Proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending regulation (EU) 2019/1020 (Regulation is expected to enter into force October 2024; status)

Feedback from DGUV
on the initiative: Cyber resilience act – new cybersecurity rules for digital products and ancillary services (in German)

Technical Regulation for Operational Safety Part 1 / Technische Regel für Betriebssicherheit (TRBS) 1115 Teil 1
"Cybersicherheit für sicherheitsrelevante Mess-, Steuer- und Regeleinrichtungen" (in German only)

Publications

KAN-Brief 3/23: Proven knowledge in new industrial security specifications (PDF, 62 kB, non-accessible)

Safety and Security in Networked Production (FBHM-102)

Contact

Jonas Stein, Dipl.-Phys.

Accident Prevention: Digitalisation - Technologies



Christian Werner, M.Sc.

Accident Prevention: Digitalisation - Technologies

Tel: +49 30 13001-3520
Fax: +49 30 13001-38001