Paul Hingley, business manager for cyber security at technology company Siemens, analyses the Cyber Resilience Act and advises on the standards that can help chemical manufacturers to plug remaining vulnerability gaps.
Cyber-attacks have devastating consequences and authorities are hoping that ambitious new regulations will help shore-up security and minimise the risk criminals present to the sector.
Slated to come into play in 2026, the Cyber Resilience Act (CRA) is expected to help businesses bolster their defences, with the UK expected to quickly follow suit with similar legislation.
It promises a significant leap forward in shutting the backdoors that cyber criminals use to access company networks. But it will be no panacea. Rather, it will provide one, not insignificant piece, of the wider security puzzle.
A growing threat
Digitalisation is changing what’s possible in chemical manufacturing and processing. Industry 4.0 brings with it the promise of a more sustainable, efficient and cost-effective present and future for the industry. But this pursuit presents a significant security challenge.
Businesses across the sector are seeing their attack surface layer grow exponentially as they connect more operational technology (OT) and IT and plug themselves in to supply chain wide systems where data is exchanged between partners constantly.
Studies suggest approximately half of manufacturers have experienced a serious cyber-attack in recent years1. This ranges from remote Denial of Service (DoS) attacks, where instigators demand millions-of-pounds in order to release systems, to intellectual property theft by organised gangs and state actors.
Introducing the Cyber Resilience Act
So there is no dispute that we must keep advancing standards and technology to tackle the threat.
Once introduced, the CRA will usher in more stringent requirements for new technology and machinery to provide protections against all known vulnerabilities, lowering the risk of factory floor OT or PCs and other IT from acting as a backdoor into company networks.
Most expect the CRA to be centred around internationally recognised standards including IEC 62443 and IEC61508 – two of the main cybersecurity standards for industrial systems, which lay out best practice for a well-rounded approach to information security.
Importantly, they comprehensively cover the responsibilities of the different parties that contribute to a system’s overall robustness. That includes the asset owner, such as the chemical processor, the system integrator and the component suppliers.
This means that the CRA should ensure that component suppliers produce technology that’s protected against all known vulnerabilities. Butthe act’s limitations lie in the fact that it cannot legislate for how the technology is used by the asset owner, meaning there is a myriad of potential operational vulnerabilities that it does not cover.
For example, without manual emergency stop capabilities, a DoS attack could feasibly take out the safety controls of hazardous equipment, putting staff at risk of exposure to dangerous chemicals.
Similarly, an absence of stringent security policies for external service providers could allow an engineer to inadvertently transfer a vulnerability into a company’s systems from their previous customer.
Solving the puzzle
Effectively minimising exposure to such attacks will require asset owners to audit operations processes across the board, to plug any holes not covered by the CRA. This can be a monumental task – especially for larger manufacturers with more capital stock – so it’s important that no corners are cut.
Trusted technology suppliers can play a key role in helping companies navigate complex standards while and maintaining machine and process safety.
Siemens’ Xcelerator, for example, represents an ecosystem of vendors and integrators that build systems for customers collaboratively based on standards like IEC 62443. We can support in designing a system, and will audit the solution after its installation, ensuring companies have the most robust levels of protection – steps that can make a huge difference in negating the success of any cyber-attack.
Industry is embracing digital transformation – but for this to be successful, cyber security needs to be at the forefront of manufacturers minds. And although the CRA will form an important piece of the puzzle, an end-to-end evaluation of operating standards will be key in tackling cyber-crime.