The Imperative of Cybersecurity for Machine Builders
Understanding the Regulation (EU) 2023/1230
On June 29, 2023, the European Parliament and the Council of the European Union announced Regulation (EU) 2023/1230, which will replace the existing Machinery Directive 2006/42/EC. This updated regulation revises the product scope and conformity assessment procedures originally covered by Directive 2006/42/EC. Products falling within the scope of Regulation (EU) 2023/1230 must now meet the cybersecurity requirements specified in Sections 1.1.9 and 1.2.1 of Annex III. The regulation came into effect on July 19, 2023, with full implementation planned by January 14, 2027.
Exploring the Relationship Between the CRA and Regulation (EU) 2023/1230
Additionally, the European Union has introduced a new set of cybersecurity rules known as the Cyber Resilience Act (CRA). This legislation is significant as it sets security standards for nearly all digitized entities, from software to Internet of Things (IoT) devices, including mechanical equipment. By covering “products with digital elements”, the CRA expands the cybersecurity requirements for products within the scope of Regulation (EU) 2023/1230. This means machinery with components such as chips, software, devices, and applications will be affected. Complying with the CRA’s cybersecurity mandates could also help fulfill the requirements of Regulation (EU) 2023/1230.
This marks the first time in EU history that legislation imposes mandatory cybersecurity requirements across the entire lifecycle of both hardware and software products. Notably, the act ensures products, particularly those marked with the CE label, meet baseline cybersecurity standards and receive at least five years of security support, safeguarding their use over time.
Here’s what the Act does:
- Sets rules for introducing products with digital elements to the market, focusing on their cybersecurity.
- Defines basic requirements for the design, development, and production of these products, and outlines what responsibilities economic operators have in fulfilling them.
- Establishes essential guidelines for how manufacturers should manage vulnerabilities in these products throughout their lifecycle, including the responsibilities of economic operators.
- Includes measures for market surveillance and enforcement of the rules and requirements mentioned above.
Current Status of the EU’s Cyber Resilience Act
On November 30, 2023, the European Parliament and Council struck a political agreement on the Cyber Resilience Act (CRA), initially proposed by the European Commission in September 2022. Then, on March 12, 2024, the European Parliament greenlit new standards aimed at shielding all digital products in the EU from cyber threats. However, this agreement isn’t final yet; it still needs the formal thumbs-up from both the European Parliament and the Council.
Once approved, industries will have 36 months to adapt to these new rules. However, reporting obligations will kick in sooner, just 21 months after the act is passed. The CRA is expected to pass by the second quarter of 2024. This means the new requirements will start to apply sometime between April and June 2027, with incident and vulnerability reporting duties beginning between January and April 2026.
Key Highlights of New Cybersecurity Requirements
The CRA will impact manufacturers, importers, and distributors of hardware and software products in the EU market. Here’s what manufacturers will need to do:
- Incorporate cybersecurity at every stage—from planning and design to development, production, delivery, and maintenance.
- Document all cybersecurity risks.
- Actively report any exploited vulnerabilities and incidents.
- Ensure that vulnerabilities are managed effectively throughout the product’s expected lifespan or for five years, whichever is shorter.
- Provide clear and easy-to-understand instructions for using products with digital elements.
- Make security updates available for at least five years.
Table 1. Security Requirements Relating to the Properties of Products with Digital Elements
| Category | Description |
| Vulnerability Mitigation | Products must be free of known exploitable vulnerabilities before being released to the market. |
| Security by Default | Products should come with a secure default configuration, including the option to reset to the original state, unless otherwise agreed with business users for customized products. |
| Vulnerability Remediation | Vulnerabilities should be addressed through security updates, including automatic updates enabled by default within an appropriate timeframe, with a clear opt-out mechanism and user notification. |
| Unauthorized Access Protection | Protect against unauthorized access through appropriate control mechanisms like authentication and identity management, with reporting on possible unauthorized access. |
| Confidentiality Protection | Encrypt stored, transmitted, or processed data using state-of-the-art mechanisms to ensure its confidentiality. |
| Integrity Protection | Protect the integrity of stored, transmitted, or processed data against unauthorized manipulation or modification, and report corruptions. |
| Data Minimization | Process only necessary and relevant data in relation to the product’s intended purpose. |
| Availability Protection | Preserve the availability of essential functions, even after incidents, through resilience and mitigation measures against denial-of-service attacks. |
| Minimize Negative Impact | Minimize the impact of incidents on the availability of services provided by other devices or networks. |
| Attack Surface Reduction | Design, develop, and produce products to limit attack surfaces, including external interfaces. |
| Incident Impact Reduction | Reduce the impact of incidents using appropriate exploitation mitigation mechanisms and techniques. |
| Security Information Provision | Provide security-related information by recording and monitoring internal activity, with an opt-out mechanism for users. |
| Secure Data Removal | Provide users with the ability to securely and easily remove all data and settings permanently, ensuring secure data transfer to other products or systems when applicable. |
| Source: European Parliament | |
Table 2. Vulnerability Handling Requirements
| Category | Description |
| Identify Vulnerabilities and Components | Identify and document vulnerabilities and components in digital products; this includes creating a Software Bill of Materials (SBOM) covering at least the top-level dependencies. |
| Remediate Vulnerabilities | Address and fix vulnerabilities promptly, especially those posing risks to digital products, by providing security updates separately from functionality updates whenever technically possible. |
| Apply Effective and Regular Tests | Regularly test and review the security of digital products for optimal effectiveness. |
| Publicly Disclose Information about Fixed Vulnerabilities | Share information about fixed vulnerabilities publicly, including their description, affected products, impacts, severity, and guidance on remediation. Delay disclosure only in justified cases where the risks of disclosure outweigh the benefits until users have had the opportunity to apply patches. |
| Disclose Vulnerabilities | Establish and enforce a policy on coordinated vulnerability disclosure. Provide a contact address for reporting discovered vulnerabilities. |
| Share Information About Potential Vulnerabilities | Facilitate sharing information about potential vulnerabilities in digital products and third-party components, including by providing a contact address for vulnerability reporting. |
| Securely Distribute Updates for Products | Implement mechanisms to securely distribute updates for digital products to fix or mitigate vulnerabilities in a timely manner, including automatic distribution for security updates where applicable. |
| Disseminate Security Patches or Updates for Free | Security updates addressing identified issues should be disseminated promptly and free of charge, unless otherwise agreed for tailor-made products. Provide advisory messages with relevant information for users, including recommended actions. |
| Source: European Parliament | |
Importers (entities within the EU that market products under the name or trademark of a non-EU entity) and distributors (those offering products in the EU market without altering their performance) also have responsibilities. They must check whether manufacturers comply with the CRA, including proper application of the CE mark, which indicates conformity with EU standards.
Identifying Products Subject to Compliance Requirements
Manufacturers need to figure out if their products fall within the scope of the EU’s Cyber Resilience Act to comply properly. The Act categorizes products into three types, each requiring a different approach to compliance:
- Class I Important Products: These either need a third-party assessment or must self-declare that they meet established standards.
- Class II Important Products: These require a third-party evaluation.
- Critical Products: These undergo third-party evaluations under the auspices of national authorities.
However, the CRA doesn’t apply to every product. Certain types that are already covered by other EU regulations are exempt. For instance:
- Medical devices regulated under EU 2017/745
- In-vitro diagnostic medical devices under EU 2017/746
- Road traffic safety products under EU 2019/2144
- Civil aviation and air transport equipment under EU 2018/1139
- Marine equipment covered by Directive 2014/90/EU
Also, products specifically designed for national security or defense purposes, or those intended to handle classified information, are not covered by the CRA.
Table 3. Important and Critical Products with Digital Elements
| Product Category | Important Products | Critical Products | |
| Category | Class I | Class II | Critical |
| Criteria | At least one of the following criteria: • This digital-element product primarily performs critical cybersecurity functions for other products, networks, or services. • The functions of this digital-element product may directly manipulate and pose serious risks to the health and safety of a large number of other products or users. |
• Class II products pose greater risks and their compromise have more serious impact due to their functions compared to Class I products. | • These products are essential dependencies for critical entities to the infrastructure as outlined in the relevant directives. • Their criticality necessitates various forms of certification, and they are included under European cybersecurity certification schemes. |
| Conformity Assessment | • Self-declaration of meeting application standards or confirmation via third-party assessment | • Third-party assessment | • A higher-level European cybersecurity certification |
TXOne Solution Portfolio for Machine Builders
Element: Pre-Delivery Security Inspection for Machinery
Prior to delivery, it is critical for machine manufacturers to conduct a comprehensive malware scan on each machine. This process involves the detection and documentation of any malicious software. In addition, Element solutions collect asset information to generate an inventory list, which grants IT/OT visibility and eliminates shadow IT/OT. This preemptive measure ensures that the machinery is secure and functioning as intended at the point of handover.
Stellar: Comprehensive Malware Protection Strategies for Business Continuity
For machines of all sizes that operate on Windows operating systems, endpoint anti-malware software represents the most effective defense strategy. This software typically operates in two modes:
- Operations Behavior Anomaly Detection: Stellar utilizes advanced algorithms to identify abnormal behavior in system operations in real-time. This anomaly detection improves security by enabling early detection and prompt alerts, facilitating quick investigation and mitigation of suspicious activities.
- Protection Mode: Actively scans the system and its environment to detect and mitigate threats.
- Lock-Down Mode: Establishes a whitelist of trusted applications, automatically blocking any software that is not expressly authorized. This mode is crucial for maintaining stringent control over what can execute on the system, thus bolstering its defense against malicious interventions.
Edge: Enhancing Network Security to Guard Against Security Breaches
Network security appliances play a vital role in safeguarding machinery, especially those managed remotely. For operational technology (OT) environments, deploying an OT-centric firewall is essential to secure network connections. Additionally, Intrusion Prevention Systems (IPS) are implemented to preemptively block malicious data packets and unauthorized network commands. These systems can vary in size and approach:
- Embedded Form Factor: Small-scale IPS devices can be integrated directly into individual machines.
- OT Network Segmentation: This solution provides a range of security features that enable effective segmentation, whether it is achieved logically or physically, based on the appropriate levels defined for each zone.
- Signature-Based Virtual Patching: Through virtual patching, the network has a powerful, up to date first line of defense against known threats. Users have superior control of the patching process, which creates a preemptive defense during incidents, and provides additional protection for legacy systems.
- Larger Scale Solutions: Bigger units can provide network protection for multiple machines simultaneously, offering a scalable solution to network security challenges.
Conclusion
The launch of the Cyber Resilience Act (CRA) aims to ensure that security is a core part of the development of future digital devices. This means that manufacturers have to rethink how they develop products. In the past, they might have focused more on features like how energy-efficient a device was. Now, they need to seriously factor in security right from the start.
However, the CRA also brings significant compliance costs and challenges for manufacturers, importers, and distributors. They’ll have to adapt to new requirements and standards, monitor and report any incidents or vulnerabilities, and potentially face sanctions or liabilities if they don’t comply. Failing to meet the CRA’s basic security requirements could result in fines ranging from 5 to 15 million euros or 1-2.5% of the global turnover from the previous fiscal year—whichever is higher—depending on the type of violation. Beyond fines, authorities could also demand that products be withdrawn from the EU market.
Ideally, manufacturers should ensure that security is central throughout the product development lifecycle. TXOne’s OT-native solutions can help identify threats, reduce the attack surface and risks devices are exposed to, and suggest ways to mitigate these threats. We also highly recommend incorporating an OT zero-trust defense approach in both the organization and its industrial assets to effectively enhance security measures.
Reference
[1] European Parliament and Council of the European Union. “Regulation (EU) 2023/1230 on Machinery and Repealing Directive 2006/42/EC of the European Parliament and of the Council and Council Directive 73/361/EEC”, Official Journal of the European Union, June 29, 2023.
[2] European Parliament, “Legislative resolution of 12 March 2024 on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020”, European Parliament, March 12, 2024.
[3] Jon Clay, “How the EU Resilience Act impacts manufacturers”, Trend Micro, December 12, 2023.
[4] Justyna Ostrowska. “The EU Cyber Resilience Act Proposal: What You Need to Know”, A&O Shearman, Jan 4, 2024.
[5] Anu Laitila, Kristian Herland, “Cyber resilience act – enhancing cybersecurity across the EU”, Deloitte Finland. (n.d.). Retrieved May 3, 2024.
