Cybersecurity in the Age of Rapid Digitalization, Connectivity

Software-secure elevators are key to preventing disruption and retaining customer and passenger confidence.

by Shari Parillo

Anyone following the elevator industry over the recent past cannot fail to notice the many electronics being integrated into the elevator system. These products gather equipment data designed to enhance maintenance efficiencies. New passenger interfaces offer seamless customer experiences and more integration into building ecosystems. Many provide tremendous value to elevator equipment maintainers, building owners and the riding public. Aided by the decreasing cost of electronics and increasing capabilities of software, and supported by the elevator codes, we at Otis expect this trend to continue. We also anticipate the introduction of advanced capabilities for service and diagnostics to allow service technicians to rapidly diagnose and interact with the elevator outside of the hoistway or machine room. We also expect to see wider application of electronic safety functions and integration of even more connected capabilities, which enhance customer comfort and equipment availability. Products that integrate the elevator into a wide variety of building systems are also gaining momentum.

It is no surprise that this rapid digitalization and connectivity also provides more pathways for hackers and disruptors. Consequently, public demand for the security of connected products is on the rise. For example, the California Internet of Things (IoT) Security Law went into effect in January, which requires the integration of some basic security measures on a broad range of commercial equipment.

Elevator manufacturers are impacted by the California law, as they need to adhere to its rules to install elevators in the state. Beyond it, more customers are asking sophisticated questions regarding the security of their elevators. It is not unusual for the elevator manufacturer to be handed a multipage survey to describe the specific security defenses integrated in its devices. This typically includes password protections, wireless security measures, and certificate and cryptographic communications features. Many surveys can be difficult for an elevator manufacturer to navigate, as they are typically created by information-technology (IT) departments and are meant for the installation of computers or servers. For example, it may be quite simple to verify virus protection and update capabilities for the typical IT systems, but it may be quite difficult to explain the security of custom IoT or embedded elevator products in the same way. We do expect to see customer interest in security to continue as a natural result of the technological advances in the elevator industry.

As explained in “Cybersecurity Best Practices” (ELEVATOR WORLD, April 2020), the National Elevator Industry, Inc. (NEII) guideline, Elevator & Escalator Industry Cybersecurity Best Practices, published in 2019, is a helpful reference on best practices to integrate and establish product cybersecurity so that we, as an industry, can meet the new legal challenges and customer queries. Early this year, work was kicked off to further revise this guideline in collaboration with cyber industry experts to ensure that it reflects the latest best practices regarding cybersecurity measures and processes that need to be embedded in the design, development and lifecycle of the elevator components. A revision is planned for publication this year that will integrate these improvements and provide enhanced guidance to our industry toward the development of secure products.

Meanwhile, the International Organization for Standardization (ISO) held the initial ISO/TC 178/WG 12 meeting last October to begin drafting ISO 8102-20 Electrical requirements for lifts, escalators and moving walks – Part 20: Cybersecurity. This standard will leverage the cyber guidelines of NEII best practices and ISA/IEC 62443, Security for Industrial Automation and Control Systems, which is a widely accepted cybersecurity standard for industrial controls.

ISO 8102-20, which aims to gain international acceptance, will give the manufacturer more concrete rules for and guidance to implement specific security features in elevator systems and components. This can be traced to IEC 62443 requirements. The expected publication date is 2022. Integration into and/or reference by elevator codes is expected to follow publication. This will enable our industry to become more normalized regarding the application of product cybersecurity features into elevator products.

To standardize the industry with respect to cybersecurity, elevator equipment providers have a responsibility to apply the best current, applicable cybersecurity practices to equipment. Using the NEII guideline and dedicating staff that can apply mature design practices is key to avoiding any disruption to our industry’s products and services by malicious actors and retaining the confidence of our customers and the
riding public.