Why cybersecurity is relevant for mobile machinery manufacturers
We live in an increasingly interconnected world. Internet and cloud applications are an essential tool in business and are also used more and more often in industrial operations and the mobile machinery sector.
Mobile machinery can be divided into two categories: road vehicles (e.g. municipal vehicles) and off-highway vehicles (e.g. construction and agricultural machinery). What unites them is that they may encounter other vehicles and/or people during operation – e.g., cars, bicycles, and pedestrians in case of a municipal vehicle, or construction workers and road users in the environs of the building site for an excavator. Another uniting feature is that in most cases a human operator is involved. That is why safety and security are absolutely essential – if a system is not secured against outside influences (security), then it cannot operate safely in its environment (functional safety).
Functional safety is, of course, a key ingredient for mobile machinery, as it ensures fail-safe operation and reduces the risk of injury or damage. However, in recent years, security and in particular cybersecurity has become a crucial factor as well, as it also addresses operational, financial, and privacy impact on a wider scale. We often hear about cyber incidents involving industrial systems or critical infrastructure, but mobile machines are just as vulnerable to such threats. The three main issues are:
- Taking control of a unit and potentially the entire vehicle
- Unauthorized access to data
- Denial-of-service attacks
Cybersecurity regulations on EU level
The EU is implementing stricter cybersecurity regulations to ensure that not only critical infrastructure, but also the increasing number of systems that are using digital products and/or can connect to the Internet as part of their functionality portfolio are secured and thus safe to operate. Many of these regulations are either already in effect or will have to be complied with within the next three years.
Mobile machinery manufacturers need to not only understand the regulatory framework, but they also need suppliers and partners who can provide components that support their compliance. The most relevant regulations are listed below:
NIS2 (Network and Information Security) Directive: This regulatory framework covers information security in a range of industries with the aim of increasing the overall level of cybersecurity in the EU. There are strict requirements for critical infrastructure and essential services. The directive details the level of security that needs to be achieved. Compliance with relevant industry (cyber)security standards is usually the best way to fulfill the NIS2 requirements.
UN regulations No. 155 (R155) and No. 156 (R156): The United Nations Economic Commission for Europe (UNECE) aims at promoting pan-European economic integration and its regulations cover:
- UN Regulation No. 155 (cybersecurity for road vehicles) is crucial for protecting modern vehicles from cyber threats and aligns with ISO/SAE 21434.
- UN Regulation No. 156 (software update and software update management system) ensures that vehicle software updates are managed in a way that maintains the safety and security of the vehicle and its occupants.
- Manufacturers have to ensure that the vehicle as a whole and all of its components comply with this standard to receive certification.
EU Machinery Regulation 2023/1230: This regulation specifies mandatory health and safety requirements for designing and manufacturing machinery products and is aimed at machinery manufacturers. The CE marking will be used to indicate that machinery complies with the requirements. Some key elements in relation to cybersecurity are:
- Protection against cyber threats: Machinery must be designed and constructed to withstand cyberattacks, ensuring that safety functions are not compromised.
- Secure communication: Communication between machinery and other devices must be secure to prevent unauthorized access and data breaches.
Cyber Resilience Act (CRA): The focus is on ‘products with digital elements’ distributed or sold in the EU and includes both software and hardware products and to products that are directly or indirectly connected to other devices or networks. This includes the respective remote data processing capabilities of IIoT solutions e.g. used for remote services or predictive maintenance. Some products, e.g., in the medical, automotive, and aviation sectors, are exempt, as they are already covered by other, more stringent, regulations.
The CRA thus applies to mobile machinery with (connected) digital components, e.g. those that collect or use sensor and camera data, devices connecting to the Internet or the cloud, or applications involving machine learning or automation of specific tasks. In the next two years, manufacturers will have to start complying with reporting obligations and cybersecurity requirements for any new products they sell.
Radio Equipment Directive (RED) 2014/53/EU: RED establishes a regulatory framework for placing radio equipment on the market within the EU and sets requirements for safety, health, electromagnetic compatibility, and efficient use of the radio spectrum. The Commission Delegated Regulation (EU) 2022/30 supplements the RED by adding cybersecurity requirements as a part of the compliance check. The detailed requirements are stated in the EN 18031 standards that were harmonized for each of three areas below (EN 18031-1/2/3) under RED Article 3(3), points (d), (e), and (f):
- Network protection: Ensuring radio equipment does not harm network functionality.
- Personal data and privacy: Safeguarding user data and privacy.
- Fraud protection: Preventing fraudulent activities.
Industrial standards highlighting cybersecurity topics
Aside from regulations, industrial standards also often highlight aspects related to cybersecurity. These may only be applicable for a certain vehicle type (e.g. a road vehicle), but they also need to be considered when discussing cybersecurity in the mobile machinery sector.
The Automotive Cybersecurity Standard (ISO/SAE 21434) is an example: This standard deals with the management of cybersecurity risks throughout the lifecycle of road vehicles, covering the design and development phase through production, operation, and decommissioning of vehicles – this is similar in scope to the Cyber Resilience Act for digital products. Compliance with this standard is crucial for road vehicles, e.g., firefighting vehicles, garbage collection trucks, or road sweepers.
Cybersecurity at TTControl
Functional safety and security have always been at the core of our product development and solutions. TTControl implements cybersecurity measures within the company and provides its customers with products and components that comply with the relevant industry standards in this field.
"Cybersecurity is a marathon, not a race. Getting ready for complying with new legislation is, of course, the first step, but the environment is very dynamic, and we need to keep on our toes and continuously develop our offering further.”
Certifications on company level
TTControl is currently in the process of certification according to ISO/SAE 21434, the main automotive cybersecurity standard, and aims for completion in 2025. The certification assesses TTControl’s product development lifecycle. Thus, we can prove that our products are designed according to best practices not only in functional functional safety, but also in cybersecurity. Some of the work products of this standard, such as the Threat Analysis and Risk Assessment (TARA), serve as evidence when assessing compliance with UN Regulation No. 155 (R155) and can be provided to customers in the cybersecurity package. Additionally, we provide a cybersecurity manual containing guidelines and best practices on how to securely integrate and use our products.
Cybersecurity features in TTControl’s products
Cybersecurity in mobile machinery needs secure hardware solutions, therefore electronic control units (ECUs) need to provide functionalities like secure boot, update, and data storage and comply with the relevant industrial cybersecurity standards. TTControl sells COTS (commercial-off-the-shelf) products that are implemented in a wide range of off-high vehicles and mobile machinery and is currently rolling out cybersecurity features for its newest ECU series, TTC 2000. These ECUs will offer a dedicated HSM (hardware security module), which provides hardware encryption and secure storage to allow secure boot and download. The FusionAI multi-screen and multi-interface computing platform human machine interface (HMI) also supports cybersecurity features.
The main cybersecurity features covered are:
- Cryptography implementation in hardware – this is important for speed and resistance to hardware-related attacks, such as side-channel attacks or fault injection attacks.
- Secure storage guarantees the confidentiality and integrity of cryptographic keys that are used to protect sensitive information.
- Firmware – APIs (application programming interfaces) that customers can use to establish secure communication between different devices.
- Secure boot and secure download ensure secure operation of the product and prevent unauthorized changes during software updates.
Cybersecurity in post-development phases
We actively monitor vulnerabilities in TTControl products, including the external libraries, and provide the Software Bill of Materials (SBOM) to our customers. Vulnerability reporting is implemented through an official CVE Numbering Authority (CNA) and we aim at providing timely release of security-relevant fixes.
“We work with our customers to provide a solution that fits their use case. For applications requiring remote access such as over-the-air updates, diagnostics, or remote maintenance, we offer telematics and computing platforms with secure software solutions like the FusionAI. For the implementation of a precision agriculture application, the TTC 2300 family of mid-sized control units in combination with the MATCH software platform for mobile automation is an excellent solution.”
Get in touch with us
Cybersecurity is relevant to all, but regulations and needs vary depending on each industry. Find out how we can support your use case and enhance the cybersecurity of your applications.
