Cybersecurity in Automation: Is the EU Regulation 2023/1230 a Game Changer?
In the realm of industrial automation, safety has traditionally been synonymous with physical barriers, structural integrity, and reliable control systems. However, the EU Regulation 2023/1230 highlights the necessity of considering cybersecurity threats before introducing machinery to the market. Although a harmonized standard for machine cybersecurity does not yet exist, manufacturers must demonstrate that their devices are protected digitally during the conformity assessment process.
Table of Contents
Why Cybersecurity in Automation is Now a Priority
In the past, machines operated as isolated units with local controllers, and the only intervention required was manual. Today, industrial automation systems connect to industrial networks, receive remote software updates, and store production data in the cloud. This connectivity introduces risks such as:
- Remote interference (taking control of the controller),
- Configuration manipulation (altering operational parameters),
- Inducing hazardous states (e.g., exceeding permissible speeds, pressures, temperatures).
The regulation mandates that manufacturers consider these “non-technical” threats. If someone remotely inputs false data into the system, causing the machine to operate dangerously, the manufacturer is liable for inadequate control system protection.
Sources of Guidance in the Absence of Harmonized Standards
The lack of a harmonized “machine cybersecurity” standard does not absolve the responsibility of protection. The regulation allows reliance on other recognized specifications, such as:
- IEC/ISA 62443 Series
- Widely used in industry and automation, it includes requirements for component manufacturers (e.g., PLCs), system integrators, and operators.
- Defines security levels, practices for secure software development, password management, updates, etc.
- ISO/IEC 27001 and related standards
- A general standard for information security management systems. It supports but is not dedicated to machinery.
- Organizations using 27001 have structured security procedures and IT risk management.
- Sector-specific standards or industry guidelines
- In some sectors (e.g., food, chemicals), industry organizations issue cybersecurity guidelines for automation systems, including testing and maintaining secure configurations.
During conformity assessment, one can argue that protective measures align with, for example, IEC 62443-3-3 in system architecture, ensuring that attack attempts do not lead to hazardous machine states.
Manufacturer’s Obligations in Cybersecurity
The regulation stipulates that manufacturers must “prevent third-party actions harmful to product safety.” Practically, this involves:
- Risk assessment includes digital aspects. If a machine has remote communication (Ethernet, Wi-Fi, GSM, etc.), a cyberattack should be considered a foreseeable threat.
- Software protection – safeguarding control logic (e.g., blocking unauthorized uploads of modified PLC applications) is crucial.
- Intervention logging – the regulation mentions tracking authorized and unauthorized changes in safety systems.
- Monitoring and updates – manufacturers should ensure that vulnerabilities can be patched without introducing new risks.
Few manufacturing companies have internal teams for penetration testing and protocol analysis. Thus, they often seek advisors, especially for selecting appropriate practices (e.g., communication encryption, network segmentation) and assessing security status.
Cybersecurity in Automation: Insights on IEC 62443
In the context of cybersecurity for machinery and automation systems, the IEC/ISA 62443 series is frequently cited. A key publication is IEC 62443-2-1, which outlines how to establish a comprehensive Cyber Security Management System (CSMS). The document covers elements such as:
- Risk analysis (identifying the most vulnerable points, potential attack impacts, countermeasures),
- Policy and procedure development (clear guidelines on responsibilities, rules for normal and incident conditions),
- Organizational structure and training (roles, responsibilities, necessary personnel awareness level),
- System monitoring and continuous improvement (ongoing updates, periodic reviews, and audits).
This standard complements new requirements (e.g., in EU Regulation 2023/1230), especially when universal guidelines are needed for implementing cybersecurity processes in conformity assessments. It enables organizations to create a cohesive security system encompassing not only network components and applications but also the entire lifecycle of devices and control systems.
When to Seek Expert Support
- Standard selection – IEC 62443 is not a single standard but a family (e.g., 62443-2-4, 62443-3-3, etc.). Experts can help determine which elements are most critical for you.
- Control architecture design – considering zones and data flows, preventing direct internet access to the controller.
- Cyber risk analysis – conducting even a simplified risk assessment to identify possible attacks and their consequences.
- Documentation preparation – the regulation requires proof of protective measures. Lack of coherent documentation can complicate assessments, especially for higher-risk machines.
Why is This So Important?
Previously, under the Machinery Directive 2006/42/EC, cybersecurity was not explicitly highlighted. Now, Regulation 2023/1230 emphasizes that malicious actions can cause accidents for which manufacturers are accountable. This impacts:
- Certification (for high-risk machines during EU-type examination, notified bodies may request evidence of system security).
- Brand perception (customers increasingly inquire about software security, especially for large production lines).
- Legal risk (in the event of a cyberattack-related accident, it may be determined that the manufacturer did not meet the regulation’s digital threat requirements).
In the era of industrial IoT and ubiquitous connectivity, cybersecurity has become a fundamental requirement for machine conformity with Regulation (EU) 2023/1230. Despite the absence of an officially harmonized standard, manufacturers cannot ignore cybersecurity: they must include cyber aspects in risk assessments, rely on recognized standards (such as IEC 62443), and demonstrate that control logic, safety functions, and software updates are protected against unauthorized actions.
If a company lacks dedicated specialists, external expert support can expedite the implementation of best practices – from network protocol analysis and penetration testing to coherent documentation of protective measures for conformity assessments. This ensures that cyberattacks do not undermine engineers’ efforts or expose manufacturers to legal liability, while also preparing machines for the challenges of the digital age.
FAQ: Cybersecurity in Automation
Yes, Regulation 2023/1230 on machinery introduces requirements for protection against cyberattacks that can affect machine safety and human safety. Manufacturers must ensure system resilience against external interference.
New regulations primarily apply to new machines entering the market. However, when modernizing or integrating older systems, they may need to be adapted to new standards.
The biggest risks include remote control takeover of machines, ransomware attacks blocking production, and manipulation of control data. Lack of updates and weak passwords are major vulnerabilities exploited by hackers.
Key steps include isolating the control network from the Internet, using strong passwords and user authorization, and regularly updating drivers and software. Of course, this is not always possible as we may want remote service access to the machine or use data on external servers in production.
Manufacturers must ensure a safe machine design in accordance with the regulation, but users are responsible for safe operation, including proper configuration, updates, and access control.