Cyber and Product Security
Position Paper on Substantial Modifications in the Context of the EU Cyber Resilience Act (CRA)
The introduction of the EU’s Cyber Resilience Act (CRA) is a major concern for the machine tool industry. On the one hand, the necessary adjustments along the supply chain affect all VDW member companies. On the other hand, questions are emerging about how to comply with the CRA’s regulations regarding update requirements after machines have been delivered. In this context, the handling of “substantial modifications” is of central importance. With respect to the Machinery Regulation, “substantial modifications” have long been known. In contrast, according to the wording of the CRA, the manufacturer of a machine or system (as the entity placing the product on the market within the meaning of the regulation) is exempt from having to re-declare conformity (new declaration of conformity). This is a consequence of the CRA explicitly requiring the manufacturer to provide updates throughout the product’s service life. The text of the regulation is therefore consistent with the intent of the regulation. Unfortunately, its interpretation is currently less clear.
The VDW calls for the consistent application of the Cyber Resilience Act in accordance with the wording of its provisions. Machine manufacturers (placers on the market) are obligated under the CRA to take continuous measures to maintain compliance. The legislature does not require a renewed or, in the worst case, regular re-declaration of compliance by the placer on the market. Of course, this does not apply to significant modifications within the meaning of the Machinery Regulation—that is, changes related to safety-critical functions.
The full text of the position paper is available here.
Contact: Dr. Alexander Broos, Director Research and Technology, a.broos@vdw.de
VDW position paper on the EU’s Cyber Resilience Act (CRA)
- introduce the CRA in an at least two-tiered manner.
- Provide machine tool manufacturers, as integrators of complex systems, with an extended timeline until the CRA is to be fully implemented.
- Consistently apply the CRA’s risk-based approach and correspondingly reduce requirements for simple and non-critical components and products, which typically installed and used in machine tools.
VDW Product Security Working Group
- Risk and threat analysis
- Software Bill of Materials (SBOM).
- Asset management over the life cycle
- Exchange with system/control suppliers
- Software updates (methods/tools)
- User Management
Security of Machine Tools
The digital transformation of manufacturing, especially of machine tools and plants, is steadily advancing. Control components that were previously operated as stand-alone solutions are being networked company-wide or directly connected to each other via the internet and interact with software services in the cloud. This creates so-called cyber-physical systems.
These systems are increasingly being targeted by hackers, as they are often very easy targets for cyber attacks. Malware (such as “Mirai”, “Hajime”, “WannaCry” or “Petya”) enables attackers to quickly and significantly impair the availability of plants and machines; production processes come to a standstill, resulting in economic losses costing millions. In addition to the extorted money payments, companies often also suffer great damage to their image.
The operator himself can make an initial and important contribution to secure machine operation. Information on and suggestions for this have already been presented elsewhere [1] In order to be able to adequately combat threats, plant and machine manufacturers will also have to attach much more importance to security in the future – both in the construction of the machines and in their operation. “Security by design” is a method that has been successfully applied in software development for many years. Transferred to machine and plant construction, it is applied in the international standard IEC 62443.
