Cybersecurity on the Factory Floor

Cybersecurity on the Factory Floor: Protection Against Corruption Under Regulation (EU) 2023/1230

The modern factory floor is no longer a closed-loop system of purely mechanical assets. Today, machinery is heavily integrated with the Internet of Things (IoT), remote diagnostic tools, and interconnected control networks. While this connectivity drives efficiency, it also introduces a completely new threat vector for physical machine safety: cyberattacks.

Recognizing that malicious third parties can now impact the physical safety of products, the European Union has integrated stringent cybersecurity mandates into the new Machinery Regulation (EU) 2023/1230. For safety engineers and safety managers, mitigating these risks is no longer solely the responsibility of the IT department.

Here is a deep dive into the new cybersecurity requirements for machinery control systems and how you must design equipment to ensure "protection against corruption."

A New Era of Threats: Withstanding Malicious Attempts

Historically, machinery safety regulations focused on preventing accidental failures or user errors. The new Regulation shifts this paradigm by officially acknowledging the risks provoked by malicious third parties.

Under the updated essential health and safety requirements for control systems (Annex III, 1.2.1), machinery control systems must now be designed and constructed to withstand reasonably foreseeable malicious attempts from third parties. This means safety engineers must account for hacking, unauthorized access, and malicious code injections during their risk assessments to ensure that such attacks do not lead to a hazardous situation. Manufacturers are required to adopt proportionate measures that are specifically focused on protecting the safety of the machinery.

Deep Dive into "Protection Against Corruption"

To combat these cyber threats, Regulation (EU) 2023/1230 introduces a mandatory essential health and safety requirement known as "Protection against corruption" (Annex III, 1.1.9) and new standard EN 50742: ‘Protection against corruption’. Safety professionals must ensure their designs meet the following strict criteria:

• Safe Remote Connections: Machinery must be engineered so that the connection of another device—whether connected directly or communicating remotely—does not lead to a hazardous situation.
• Securing Critical Hardware and Software: Any hardware component that transmits data relevant to software critical for safety compliance must be designed with adequate protection against both accidental and intentional corruption. Furthermore, the critical safety software and data itself must be clearly identified and similarly protected against corruption.
• Clear Software Identification: The machinery must be able to identify the software installed on it that is necessary for safe operation, and this information must be easily accessible at all times.

The Data Trail: Mandatory Logging and Traceability

One of the most significant operational changes for safety managers is the new requirement for digital traceability. When a machine's safety logic is tampered with, investigators and authorities need to know exactly what happened and when.

To ensure accountability, the Regulation mandates that machinery must collect evidence of both legitimate and illegitimate interventions in the safety-critical hardware and software, as well as any modifications to the software's configuration.

Specifically, control systems must be designed so that a tracing log of data generated regarding these interventions, alongside the versions of safety software uploaded, is enabled and retained for five years after the software is uploaded. This log is kept exclusively to demonstrate conformity to national authorities upon request.

Streamlining Compliance: The Cybersecurity Act

For safety teams wondering how to prove their control systems are secure against these threats, the Regulation provides a clear pathway.

Machinery and related products that have been certified—or have been issued a statement of conformity—under a relevant cybersecurity certification scheme adopted via the EU Cybersecurity Act (Regulation (EU) 2019/881) benefit from a "presumption of conformity". If the references of these schemes have been published in the Official Journal of the European Union, utilizing them will automatically presume your machinery meets the Regulation's essential health and safety requirements regarding protection against corruption and the reliability of control systems.

The Takeaway for Safety Professionals

The boundary between IT security and operational technology (OT) safety has officially dissolved. Under Regulation (EU) 2023/1230, a machine is not physically safe if it is digitally vulnerable. Safety engineers and managers must now seamlessly integrate cybersecurity protocols into their iterative risk assessment processes, ensuring robust protections, secure remote connections, and rigorous intervention logging to protect the factory floor from modern digital threats.