Cyber Security

When it comes to cyber security and the fulfillment of new security requirements for your products, MESCO experts provide you with technology and manufacturer-neutral advice and support you in implementing your development projects efficiently and in compliance with the new regulatory requirements.

With the Cyber Resilience Act (CRA), the European Union has taken a groundbreaking step towards improving cyber security in the digital single market. From the end of 2027, digital components may only be placed on the market if they meet the basic security requirements of the CRA.

This regulation therefore also affects factory and process automation devices, including sensors, actuators, controllers and communication technologies – especially those with digital interfaces. From the end of 2027, components with embedded software may only be placed on the market if they meet the specific requirements of the CRA.

Companies in the factory and process automation industry are facing the challenge of adapting their products to the new legal requirements of the Cyber Resilience Act. Compliance with these regulations is mandatory in order to be able to continue to affix a CE marking to their products and sell them in the EU. However, products placed on the market before 2027 will retain their CE marking beyond this deadline if they have not been significantly modified. However, a software update or replacement of a software component could already constitute a significant change and require compliance with all CRA requirements.

Security measures are not just limited to the field device, but must also take particular account of the interfaces, such as fieldbuses. Since other field devices could be used as a gateway into a fieldbus, the fieldbus organizations have already dealt extensively with the topic of security in real-time networks, especially those based on Ethernet or wireless networks.

The fieldbus organizations have already developed initial security concepts: for example, there are measures aimed at protecting access to a system or infrastructure against unauthorized manipulation.

The PROFIBUS user organization PI, for example, uses security class 1 for PROFINET to ensure that devices are correctly addressed by the controller.

Among other things, this is achieved by deactivating simple device address manipulation and signing the GSDML files. However, this measure only makes a limited contribution to preventing external threats. In particular, if a device is taken over by an attacker via an IOT interface, for example, these measures are largely ineffective If PROFINET security is to be further increased, the following additional measures are required:

• Integrity and authenticity of data (security class 2): These measures prevent manipulation of data during transmission and ensure that information is not falsified or changed without being noticed. This can be achieved using cryptographic signatures or verification mechanisms.
• Confidentiality of data (security class 3): This involves protecting sensitive information from unauthorized access. Encryption technologies ensure that only authorized parties have access to process data. This serves in particular to protect know-how in the application.

The implementation of these security requirements requires the implementation of suitable protection mechanisms and comprehensive tests for validation.