EU Machinery Regulation - Cybersecurity for machines with Endian

The new EU Machinery Regulation aims to prevent risks arising from digitization and the use of artificial intelligence. It applies to companies that manufacture, market or commission machines in the EU. This article describes how cyber security for machines can be achieved with Endian solutions.

Digitization has brought IT (information technology) and OT (operational technology) inseparably together. Machines and material flows are now largely software-controlled, and digital solutions are indispensable, particularly in the areas of monitoring and maintenance. This networking also comes with risks: the accessibility of OT means that machines and production systems are increasingly exposed to attacks from cyberspace. A successful cyberattack can have serious consequences - from production downtime to environmental damage and even endangering human lives.

The EU has therefore decided to tighten the safety regulations for machinery and also cover the risks arising from the use of digital technologies with a new EU Machinery Regulation. In contrast to the previous Machinery Directive 2006/42/EC, cybersecurity requirements are anchored in the new Machinery Regulation for the first time. The Machinery Regulation will become binding from January 20, 2027; it no longer needs to be transposed into national law.

More companies affected

The EU Machinery Regulation applies not only to manufacturers and dealers of machinery, but also to operators if they make significant changes to the machinery. With a significant modification to the machinery, users become manufacturers from the perspective of the MDR, with all the associated obligations. Machine operators should therefore clarify exactly how they are actually affected. Consultancy companies can provide valuable assistance here.

Under the heading “Protection against corruption”, the EU Machinery Regulation defines key cybersecurity requirements that affected companies must have implemented by this deadline.

Protecting machines means segmenting networks

Machines and their associated products must be designed in such a way that no dangerous situations arise even when external devices are connected - regardless of whether they are directly connected systems or remote maintenance devices.

This section of the EU Machinery Regulation addresses a central problem of digitization in terms of cybersecurity: as soon as machines and systems are networked, they are also accessible to attackers via the corresponding interfaces. If they succeed in infiltrating malware, it can spread unchecked in a networked environment and cause far-reaching damage.

Network segmentation is therefore one of the most important principles for cyber security in a digitized environment. This involves identifying network areas with comparable protection requirements and separating them from each other using IoT security gateways. This allows administrators to control data traffic based on detailed regulations. Depending on requirements, an individual machine or part of it can form its own network segment.

Using multi-layered cyber security

Endian is developing a cybersecurity platform, the Endian Secure Digital Platform, which can be used to connect and secure IT and OT networks. Part of the platform are the powerful IoT security gateways for companies of all sizes, which are also suitable for network segmentation. The gateways in the Endian 4i series are optimized for use in industrial environments and equipped with many IT security tools. A firewall prevents malware from reaching a machine, regardless of whether it comes directly from the Internet or is introduced into the network via a compromised device. If an attacker manages to bypass the firewall, for example in an insider attack, the integrated Intrusion Prevention/Detection System (IPS/IDS) intervenes. It detects threats in real time and automatically initiates suitable countermeasures. Deep Packet Inspection (DPI) analysis and filtering can also be used to determine which servers and applications the connected machine is allowed to communicate with.

Secure remote access

In addition to the spread of malware via networked devices, remote access also poses a significant security risk. As soon as a port is opened for remote maintenance, a potential attack surface is created. Cyber criminals could use gaps to infiltrate malware or steal or modify data. The EU Machinery Regulation therefore calls for the risks of remote maintenance to be secured.

A virtual private network, which is pre-installed on the Endian 4i gateways, offers the decisive protection here. It encrypts the communication and routes it through a secure tunnel so that unauthorized third parties can neither access nor manipulate the encrypted data.

Set roles and authorizations

In addition to technical protective measures, granular assignment of rights and authorizations is also crucial to ensure the security of software and machines during remote maintenance. With the Endian Secure Digital Platform, role and rights management is controlled via the Switchboard, the platform's central management tool. A central user interface can be used to define exactly who can access the device and what actions can be carried out on it. These authorizations can be changed or deleted at any time, for example if an employee leaves the company or another service provider is commissioned with machine maintenance. It is also possible to set up two-factor authentication to ensure that the right person is actually connecting. For particularly critical machines, an approval process can also be established in which remote maintenance must be explicitly requested and approved.

Keeping security software up to date

All software must be kept up to date to prevent unintentional safety gaps. The EU Machinery Regulation therefore also requires security-critical software to be made available throughout the entire life cycle of the machine. Here too, the Endian Secure Digital Platform offers the right solution: updates can be controlled via the switchboard so that all connected gateways are updated simultaneously. This ensures that the security software is always up to date and that any security gaps are quickly closed.

Log accesses 

The EU Machinery Regulation also requires evidence to be stored for every intervention in the software. This is particularly important because there are different parties that need access to the machines. On the one hand, there is the machine operator who wants to read out data, for example, and on the other, the machine manufacturer who needs to carry out maintenance and updates. Connecting to systems from material suppliers is also conceivable. This requirement can also be met with the Endian Secure Digital Platform, as every access can be logged and integrated into a SIEM system to enable comprehensive analysis and security monitoring. It is also possible to record a remote maintenance session via video. In order to meet the requirements of the GDPR, the user must give their consent beforehand. Logging can also be used to clarify liability issues in the event of problems following access.

Keeping an overview

Companies that want to protect their machines in the long term and sustainably need to know exactly which devices are in their networks. This is no easy task, as the digital transformation means that the number of networked devices in companies is constantly increasing and monitoring them seamlessly is a challenge for IT security. Endian has therefore established a feature in the Endian Secure Digital Platform called “Network Awareness”. Administrators can detect unusual data traffic in the network at any time and then take action if necessary.