Select Page

Attention! Cybersecurity is moving to the forefront. In the EU, in Germany, Austria and Switzerland, the industry must act. Especially in automation. The open, Linux-based platforms of the Smart Automation market overview are becoming even more important. Ducking out no longer applies and is no longer an option. The market overview and this portal now take this into account.

The Cyber Resilience Act (CRA) has been in force throughout Europe since December 11, 2024. The 2nd EU Directive on Network and Information Security (NIS2 Directive) was also adopted in December and is now being transposed into national law. With these two regulations, the topic of cyber security – the scope of which has not yet been recognized everywhere in the industry – has become a legal obligation. It is already a high priority for industrial automation platforms. In the very near future, it will become even more of a priority. The Smart Automation 2025/1 market overview now also includes an initial table on cyber security.

This table however, has only limited informative value, which is due neither to the manufacturers’ willingness to provide information nor to their efforts to ensure security. Because all of them filled out my survey. The question was asked about the certification of parts of IEC 62443, which represent the decisive standards for the cyber security of automation systems, i.e. industrial control systems (ICS), until the CRA is activated.

CRA certification is not yet possible. And even for the IEC certificates that have been common up to now, quite lengthy processes have to be gone through. Various providers are in the middle of this process, such as KEBA in the certification process for IEC 62443-4-1 or TTTech Digital Solutions for IEC 62443-4-1 and IEC 62443-4-2.

The sub-standards of IEC 62443 queried

Here is a brief classification of the sub-standards on which the table is based.

IEC 62443-2-4

Sub-standard 62443-2 concerns procedures and regulations for the safety of industrial control systems. In particular, 62443-2-4 contains the requirements for a safety program for ICS service providers, i.e. also for providers of automation platforms.

IEC 62443-3-3

Sub-standard 62443-3 covers safety technologies, risk assessment and system design for ICS. 62443-3-3 deals with security requirements and specific security levels in industrial networked communication.

IEC 62443-4-1

IEC 62443-4 concerns ICS components and products. IEC 62443-4-1 addresses their development and secure life cycle, IEC 62443-4-2 the specific technical requirements for the security of the components.

Not everything is relevant for each of the platforms; some things affect other links in the usually quite complex supply chain of networked systems. This is one of the reasons why the table in the market overview shows a section of the security offering, but not the whole picture.

Implementation stages CRA, *KBS = conformity assessment bodies (Source: BSI)

The illustrated stages of CRA implementation show that every manufacturer of a platform will have to provide proof of the security of their platform by the end of 2027 at the latest.

In addition, thousands of customers – not only as users of the platform, but generally as manufacturers of networked products or manufacturing components – will also have to provide proof. The current certifications are certainly a good prerequisite for compliance with the CRA. It is not yet clear to what extent they will be replaced.

Incidentally, the same applies to cyber security as to most sub-areas and functionalities of automation platforms: Not everyone has to reinvent everything. Specialist providers are already on the market with apps and systems that focus exclusively on cyber security.

NIS2

With the implementation of the NIS2 Directive on network and information security into German law, the Federal Office for Information Security (BSI) will become the supervisory authority for significantly more companies than before due to an amendment to the BSI Act. Little is expected to change for existing critical infrastructures (KRITIS), but for around 29,000 “particularly important” and “important” facilities according to the law, registration, verification and reporting obligations will apply for the first time. For reasons of proportionality, a distinction is made between the categories (KRITIS, particularly important institution, important institution) in terms of the intensity of the respective measure.

As with the CRA, the BSI website also provides a wealth of information on NSI2 to help every industrial company understand exactly what needs to be done and when for which company. An ICS security compendium last updated at the end of 2024 is highly recommended. And a decision tree is available for checking whether you are affected by NIS2.

As a contribution to the discussion about the role of cybersecurity in industry, especially in the development and use of Linux-based automation platforms, Industrie-Digitalisierung will be looking at this issue in detail in the near future.

The topics? These are just some of them:

  • OT-IT convergence and cyber security
  • The special role of platforms in security
  • Development of CRA and NIS 2 implementation and the impact on platforms
  • Cybersecurity and the hyperscalers in the USA and China