Cyber threats: Pragmatic approach in three steps

The plant security report is compiled by the TÜV Association in cooperation with all German authorized inspection bodies (ZÜS). The experts have observed that the increasing number of cyber attacks on German companies has also increased awareness of the associated dangers and risks. "We are no longer discussing whether cybersecurity is needed," says Jörg Becker, Head of the Cybersecurity Competence Center at TÜV SÜD Industrie Service. "We are discussing what needs to be done." The expert believes a pragmatic three-step approach makes sense: In the first step, companies need to identify the systems that are relevant to cybersecurity. The second step is to assess the consequences of an attack on these systems, and the third step is to define the specific measures required to protect the systems.

Guide to technical rules for operational safety

When looking for suitable protective measures, operators of systems requiring monitoring can use the Technical Rule for Operational Safety (TRBS) 1115-1, which was adopted last year, as a guide. "In essence, this means that plant operators must also take cyber threats into account as part of their risk assessment and define appropriate countermeasures if employees or people in the danger zone could be endangered by a cyber attack," explains Becker. "Safety-relevant measuring, control and regulation equipment is particularly relevant here. However, sometimes a dangerous situation can also be caused by manipulation of other system components. In this case, these must also be protected." Not affected by this regulation are systems whose safety functions are purely mechanical or analog and whose safe operation is not endangered by a cyber attack.

Selection of protective measures

TRBS 1115-1 describes the procedure for selecting suitable protective measures, which are subdivided into six areas: Hardware architecture and segmentation, access and access control, secure installation and changes to protective measures, function reduction and hardening, monitoring of hardware and software including their communication and emergency management. "Every company must consider which measures are required for each of these areas to ensure adequate protection," explains Becker. "The 'classics' are virus scanners or password protection. However, the repertoire of measures is much larger. This is why cyber security concepts can therefore vary."

Cybersecurity concepts of the TÜV association

In future, the ZÜS will also check whether the minimum requirements of TRBS 1115-1 have been implemented and sufficient protective measures have been defined as part of the legally required inspections of systems requiring monitoring. In order not to overburden small and medium-sized companies in particular, there will be a gradual transition or a gradual expansion of the scope and depth of testing. Insufficient implementation of the requirements has been assessed as a deficiency since 2023. Since April 1, 2024, the ZÜS have been obliged to carry out a more extensive inspection, which initially relates to the documentation and plausibility of the measures. In future, the technical implementation and functionality of the protective measures on the systems themselves will also be inspected.

Installations requiring monitoring are work equipment that pose particular hazards. These include elevator systems, systems in potentially explosive areas and pressure systems. In the Plant Safety Report, the TÜV Association publishes an annual evaluation of the legally required inspections of plants requiring monitoring. The current Plant Safety Report 2024 with all statistics and technical articles on current topics can be downloaded from the TÜV Association.