Industrial remote assistance, essential for optimizing operations and remote maintenance, requires robust security measures. This article explores eight key strategies...
The increase in connected devices exposes companies to growing cybersecurity threats. The NIS2 Directive and the IEC 62443 standard frame the norms in teleassistance aimed at improving cybersecurity, requiring integrated and cooperative measures among organizations.
Information and communication technologies are the foundation of complex systems that support the daily activities of society, economy, and industry. With the emergence of digitalization, connectivity, Industry 4.0, and the Internet of Things (IoT), we are witnessing an exponential increase in connected digital devices. However, despite the number of connected devices, security and resilience are not always integrated into the design, often rendering cybersecurity policies inadequate.
The cybercrime market is indeed concerning, due to attacks aimed at encrypting data or sabotaging production, as highlighted by research from ENISA. IT and OT systems, therefore, can no longer be considered separate, as 94% of attacks on IT systems have caused disruptions in OT systems, highlighting the vulnerability of companies due to an increasingly complex network.
To protect their data, companies must implement analysis and control tools, as established by the IEC TS 63074 standard, which introduces the concept of Security Risk Analysis and refers to the IEC 62443 family.
The deadline for the Machinery Regulation (EU) 2023/1230, which comes into effect on January 1, 2027, requires specific regulations in remote assistance to ensure cybersecurity. The United States, with NEC 2023, for example, has already introduced similar requirements in 12 states, suggesting a trend of anticipation that could also be reflected in Europe with NIS2.
Directive (EU) 2022/255 (NIS2), in effect from October 2024, broadens the scope to include machinery manufacturers, introducing a multi-risk requirement that also involves associated service providers. It is crucial to define the characteristics that industrial plants and machines must meet to ensure an adequate level of cybersecurity and clarify the degree of obligation.
Moreover, it should be noted that although the Machinery Directive 2006/42/EC does not explicitly address cybersecurity, there are related regulations, such as ISO 13849-1 and EN 415-10 standards, which establish some fundamental principles. For example, remote connection must be locally authorized, and safety parameters should not be modifiable without onsite validation. This further emphasizes the importance of adopting an integrated security strategy that protects machines from external threats.
Next, we will examine in detail what the main norms in teleassistance say and what they entail.
The NIS2 Directive (Network and Information Security 2) represents the evolution of the first NIS Directive, introduced by the European Union in 2016 to strengthen cybersecurity. Adopted starting in 2022, this new directive updates and enhances the regulatory framework to address the growing threats and ensure greater resilience of networks and information systems, including those of industrial teleassistance.
One of the main objectives of the NIS2 Directive is to broaden the scope compared to the previous directive. It includes more sectors and critical services for national security, such as digital infrastructures, cloud service providers, data centers, and teleassistance services. Therefore, it is the regulations in teleassistance that are relevant for organizations operating as service providers and companies that use connected devices and systems and must comply with this directive.
Specifically, the NIS2 Directive introduces stricter requirements for risk management and security incident reporting. Organizations must adopt appropriate and proportionate security measures to the risk, including vulnerability management, identity and access management, network monitoring, and implementation of intrusion detection systems. For example, in the case of a security incident, organizations must promptly report the incident to the competent authority, ensuring a rapid response and coordination at the European level.
At the European level, the directive promotes cooperation and information sharing among member states and organizations to improve the collective ability to prevent, detect, and respond to cyberattacks. Such cooperation is particularly relevant for industrial remote assistance, where networks and control systems may be distributed across multiple sites and managed by different.
Let’s now look at the IEC 62443 standard, which is one of the main international regulations developed to ensure the security of industrial automation and control systems (ICS).
This standard, created by the International Electrotechnical Commission (IEC), provides guidelines and requirements for the protection of networks and control systems from cyber threats. Its adoption is, therefore, crucial for monitoring and managing industrial devices and processes remotely.
IEC 62443 is structured into four sections that cover various aspects of industrial security:
The implementation of IEC 62443 offers numerous advantages:
In addition to the NIS2 Directive and the IEC 62443 standard, there are other regulations in industrial tele-assistance that impact security.
Among these, the GDPR (General Data Protection Regulation) is the EU's general regulation on data protection and requires organizations to protect personal data processed, including data collected and used in tele-assistance operations. It is essential for companies operating in this sector to adopt adequate measures to ensure compliance with the GDPR, especially when it comes to protecting sensitive data of operators or customers.
Another relevant standard is ISO/IEC 27001, which defines the requirements for an information security management system (ISMS). In industrial remote assistance, adopting ISO/IEC 27001 helps implement appropriate security controls to protect sensitive information and ensure operational continuity.
Furthermore, the NIST Cybersecurity Framework (CSF) provides guidelines for managing and reducing cybersecurity risks. Although developed for U.S. organizations, this framework is widely adopted globally and can be used as a reference to improve security in industrial remote assistance operations.
Finally, the RED Directive (Radio Equipment Directive) applies to radio communication devices, imposing safety and compatibility requirements to ensure that devices used in industrial teleassistance do not cause harmful interference and are secure against attacks and tampering.
| COSO | It is based on "Managing Cyber Risk in a Digital Age" which provides guidelines on how to respond to corporate cyber threats. |
| Cybersecurity Act Reg. (UE) 881/2019 | The Cybersecurity Act Reg. (EU) 881/2019 introduces a framework for European cybersecurity certificates. Furthermore, it strengthens the mandate of the EU Agency for Cybersecurity (ENISA). |
| Cyber Resilience Act | Regulations aimed at increasing the safety of all products with digital elements. |
| EN 415-1 | UNI EN 415-1:2001 provides a classification of machines for packaging and wrapping. |
| EN 415-11 | The European standard EN 415-11, approved at the end of 2021, defines a standard for the evaluation of Efficiency & Availability during acceptance/testing of packaging machines. |
| GDPR | The General Data Protection Regulation (GDPR) governs how companies and other organizations handle personal data. |
| HITRUST | HITRUST focuses on the analysis and management of risk with 14 different control categories. It can be applied to almost all organizations, including healthcare. |
| IEC 62443 | The IEC 62443 standard is the international standard for the security of industrial automation control systems and for Industry 4.0. The foundations were laid about 20 years ago by the SP99 Committee, established by the ISA (International Society Automation & Control). |
| IEC TS 63074 | Introduces the concept of "Security Risk Analysis" in industrial automation systems, referring to the IEC 62443 family of standards |
| ISO 27000 | The ISO 27000 series is applicable to organizations of all types and sizes. The two main standards, ISO 27001 and 27002, establish the requirements and procedures for creating an information security management system. |
| NIS 2 | The NIS 2 Directive (2555/2022), in effect since January 2023, establishes minimum requirements to ensure greater harmonization at the EU level of cybersecurity laws and procedures. |
| NEC 2023 | Code of Electrical Regulations developed by the NFPA (National Fire Protection Association) that sets safety standards for electrical installations. |
| NIST CSF | The NIST Framework for Improving Critical Infrastructure Cybersecurity, or NIST CSF, is developed to address the critical infrastructures of the United States. Among the main ones are: energy production, water supply, food supply, communications, healthcare provision, and transportation. |
| NIST SP 1800 | The NIST SP 1800 series governs the implementation and application of standard-based cybersecurity technologies in real-world applications. |
| NIST SP 800-171 | NIST SP 800-171 addresses government contractors, who are often targets of cyber attacks due to their proximity to federal information systems. |
| NIST SP 800-53 | The NIST SP 800 series increasingly focuses on cloud security. NIST SP 800-53 is the benchmark for information security for U.S. government agencies. |
| RED | Directive (Radio Equipment Directive) is an EU regulation that establishes requirements for the marketing and use of radio equipment. The goal is to ensure the safety and absence of interference of these devices and services. |
| Regolamento (UE) 2023/1230 | The New Regulation (EU) 2023/1230 aims to harmonize safety and health protection requirements for machinery across all member states. It includes themes related to digital technologies and cybersecurity applied to machinery. |
Security is a critical factor in ensuring the continuity and efficiency of modern industrial operations, and in this regard, it is essential to know and apply the norms in teleassistance. The NIS2 Directive, the IEC 62443 standard, and other key regulations provide a solid and detailed regulatory framework to address the challenges of cybersecurity in this sector.
Complying with these regulations not only helps mitigate security risks but also facilitates collaboration and trust among the various parties involved in the industrial ecosystem. Adopting a proactive approach to security, based on these directives, represents a fundamental step toward ensuring a secure and resilient digital future for industrial remote assistance operations.
Industrial remote assistance, essential for optimizing operations and remote maintenance, requires robust security measures. This article explores eight key strategies...
With Industry 4.0 and the integration of IT and OT, cybersecurity best practices are crucial to protecting critical infrastructure, data,...
