Machinery security in a wireless world

AS WE continue to develop Industry 4.0-based production methods, increasingly complex and convergent technologies are being continuously introduced. This means that machines are increasingly incorporating radio-based components which rely on the radio spectrum to operate. 

The Radio Equipment Directive (RED) 2014/53/EU is applicable to all electrical and electronic devices that intentionally emit and receive radio waves at frequencies below 3000 GHz, and it establishes a regulatory framework for placing radio equipment on the market.

The RED ensures a single market for radio equipment by setting essential requirements for safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum. It also provides the basis for further regulations by delegated acts adding additional legislation such as in this case for cybersecurity. 

It should be noted that in the UK, the requirements of the Radio Equipment Regulations 2017 are presently identical to the RED, and there is no plan to mirror any additional requirements in the RED.

Compliance with the RED is achieved by satisfying a number of “essential requirements”. The existing ones for Safety and Health, EMC and Radio are well known as the “original” essential requirements. A delegated act has been published, which activates new essential requirements with the details given in the following Articles in the RED, which the industry has collectively termed “cybersecurity”:

- 3.3d: communicate over the internet, either directly or via any other equipment

- 3.3e: process personal data, traffic data or location data

- 3.3f: enable users to transfer money, monetary value or virtual currency

Essentially, these updates to the RED are intended to enhance network protection by ensuring that radio equipment does not harm the network or its functioning. It also ensures that network resources are not misused, and that radio equipment does not cause unacceptable degradation of service. It therefore covers equipment that can communicate itself over the internet or via an internet-connected device. The updates to the RED are also intended to enhance data privacy by incorporating safeguards to protect personal data and the privacy of users and subscribers. It is important to note that these new requirements have not been replicated in the UK’s Radio Equipment Regulations.

These new RED provisions will become mandatory on 1st August 2025, which is an extension from the original date of 1st August 2024. Manufacturers of radio equipment, that is not compliant by that date, face potential action. 

To help manufacturers comply with these essential requirements, the European Commission issued a “standards request” to the European Standards Organizations (ESO), asking them to produce standards to assist in compliance. Further guidance is also expected from the Commission. The standards request sets out the minimum requirements, but the final standards may include further assessment criteria where appropriate, and further guidance could come from the Commission. 

What do the Essential Requirements actually mean?
Article 3.3(d) – Protection of the network It covers radio equipment that can communicate directly through the Internet and radio equipment which can communicate over the Internet by way of another connected device. In simplistic terms, the radio product must not, nor be able to be compromised, thereby causing harm to the network.  

Article 3.3(e) – Privacy This requires radio equipment to incorporate safeguards to ensure that the personal data and privacy is secured. This includes but is not limited to radio equipment that can process personal, traffic and location data. 

Article 3.3(f) – Fraud prevention It will protect users who wish to use radio products to process financial transactions and protect them from compromise and fraud.

Compliance

As compliance with the essential requirements becomes mandatory from 1st August 2025, the entire machinery supply chain (manufacturers, importers and integrators of radio equipment) should have made adaptations to how radio-enabled machinery is manufactured and supplied, the new requirements should also have been included into product technical specifications as early as possible. 

Although the RED pioneered the way forward in Europe in mandating cybersecurity of connected devices, the EU Cyber Resilience Act (CRA) and the UK's Cyber Security and Resilience Bill both aim to improve cybersecurity. The CRA applies to the EU, while the UK bill will improve cyber defences and protect essential public services. The CRA will affect manufacturers, importers, and distributors of hardware and software products. To better comply with the CRA’s requirements, they all need to understand whether their product falls within the scope of its legal framework. It’s therefore vital that end-users of connected machinery understand both their obligations and those of their equipment suppliers. 

The CRA applies to products with “digital elements”, which includes both hardware and software. It introduces new, binding and comprehensive cybersecurity requirements for connected hardware and software products in many aspects of digital industry. The aim is that ‘products with digital elements’ are designed with cybersecurity in mind from the onset and are therefore considered more secure. Manufacturers remain responsible for cybersecurity throughout a product’s life cycle. Companies therefore need to consider not only the operational phase of the digital product but its design, development, and production.

Increasingly complex and convergent technologies are being introduced as Industry 4.0 develops. More  products, such as machinery, are employing radio technology in their applications. Many of these devices connect to the Internet, which could expose such products to increasing security threats and the potential to be attacked and exploited. Consequently, as machines integrate more radio-based components, so regulations such as the RED and CRA must be considered at the design stage. 

www.tuvsud.com/uk