According to the ISO 10218-1:2025 and ISO 10218-2:2025 standards, industrial robots shall have protective measures against cyber threats, in addition to a number of new requirements. According to experts, manufacturers are currently working flat out to implement these requirements as part of the transitional period, which is expected to end in 2027.
Now you might think that everything is not so difficult, because: standards, even if they are listed in the Official Journal of the EU, are voluntary. That is still true. However, in the case of cybersecurity, another special feature applies. The cybersecurity requirements apply not only on the basis of the above-mentioned standards, but also on the basis of two new EU regulations:
- Cyber Resilience Act (CRA): Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)
- Machinery Regulation: Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery and repealing Directive 2006/42/EC of the European Parliament and of the Council and Council Directive 73/361/EEC (Text with EEA relevance)*
* In the Machinery Regulation, instead of the term cybersecurity protection against corruption is used
Cyber Security Threat Assessment
Since industrial robot systems contain digital elements, they are subject to the above-mentioned regulations. Thus, after the final entry into force of these regulations in 2027, it will actually become mandatory to provide cybersecurity measures on industrial robot systems as well. However, a large part of the measures can already be provided by the component manufacturers, e.g. control manufacturers.
According to ISO 10218-1:2025 Section 5.1.16 and ISO 10218-2:2025 Section 5.2.26, the only mandatory measure is a so-called Cybersecurity Threat Assessment. As far as known so far, this is similar to the well-known risk assessment according to ISO 12100. It is used to analyze possible threats, assess their risk and derive protective measures. Not as a standard requirement, but only as an explanation (note), the standard lists some protective measures against unauthorized access:
- ability to disable access to communications ports, e.g. Transmission Control Protocol/ User Datagram Protocol (TCP/UDP) port;
- ability to change the TCP/UDP port number, e.g. logical connection;
- authenticated protection of the safety configuration;
- ability to change the default configuration (e.g. usernames user passwords, IP addresses, safety authentication);
- use of encrypted and authenticated protocols.
For more practical measures see also list below.
The Machinery Regulation and the associated standards include measures relating to health and safety protection, but none in relation to property damage. The CRA Regulation can include damage to health, property and finance. However, only health and safety protection measures are considered within this article. It is important that protective measures are only necessary if the safety of the robot system is actually threatened. For example, the robot user program is usually outside the safety consideration. This means that a malfunction of the user program, regardless of the cause, would have no consequences for the safety of the system. This is because safety functions such as restricted space and speed or emergency stop shall also be effective regardless of the user program or even in the event of a faulty program. In addition, the functional safety of industrial robot systems today has a very high level, usually Pld, category 3 according to EN ISO 13849-1. This high-grade functional safety is usually also a very good protection against cyber threats.
Cybersecurity in case of re-application of used industrial robots within new systems
Even if used industrial robots are installed in a new robot system, the above-mentioned regulations apply to the manufacturer of the system. Cybersecurity threat assessment is therefore of particular importance. It is possible that the safety components installed in the used robots are even little or not at all susceptible to cyber threats (security by design) due to their hardware (relay technology, redundancy, etc.). As a result, the cybersecurity threat assessment could be very short.
However, if it turns out that cyber threats can threaten the safety of the robot system, protective measures are required. An exact selection and number of measures have not yet been determined. This is decided by the Cybersecurity Threat Assessment. In addition to the protective measures already mentioned above, the following further measures can be taken on used robots, for example:
- Remove or close USB ports
- Remove or close LAN interfaces
- Deactivate Wi-Fi or activate it only with a key
- USB sticks use, if necessary, only after verification and approval
- Check checksums of the safety software periodically
- Security updates, if still possible
- Training of employees for the safe handling of safety-relevant data and components and determine responsibilities as well as access authorizations
- Firewalls, Virus scanner
- Classification of data (Which data is safety-relevant and worthy of protection, which is not?)
- Periodic safety tests, e.g. sample wise testing of space limits or force limits by exceeding the limits on a test basis
- Data backup and emergency management
- Create log files
- Strong passwords
The measures can also be applied to new industrial robots or systems. Depending on the type of protective measure, these shall be implemented by the system manufacturer or passed on to the machine user as instructions. For the obligations of machine users (employers), see TRBS 1115-1. The above-mentioned EU regulations contain further measures that shall be implemented by the manufacturer, such as reporting obligations for known vulnerabilities or the provision of updates. It is also to be expected that with the final entry into force of the above-mentioned EU regulations, guides on the practical implementation of the regulations will be published. Further information on the cybersecurity of machines and machinery systems can be found in DGUV FBHM 102.
Note: This article is a translation of German websites
