Prioritizing Cybersecurity

Safeguarding modern lift systems from cyberattacks

by Thomas Schröder 
images courtesy of TÜV SÜD

In modern lift systems, digital elements and online correspondence have emerged as critical components of management and upkeep. More remote features, however, naturally increase the risk of system exploitation by unauthorized entities. In response, cybersecurity measures have taken the front seat when it comes to planning, designing, installing and operating lifts. 

Most newly installed lift systems have online access for a number of functions, including communication with manufacturers, service and maintenance providers, as well as various building-management and service systems. Some previously existing or modernized lift systems rely on an internet connection, as well. With each interaction representing an entry point for cybercriminals to take advantage of, this correspondence increases a system’s vulnerability to cyberattacks. Moreover, it means that cybersecurity measures are of the utmost importance for ensuring the safe operation of lift systems. Their effectiveness varies, however, and is contingent upon a number of factors, including frequency of updates and the quality and software of the elements used. Such measures are sometimes even legally required, making it paramount for manufacturers to keep up to date with current standards and regulations — at least if they want to continue to provide reliable and safe lifts, which is essential for the operators’ current and future trust.

Essential Cybersecurity Guidelines

Where cybersecurity is concerned, three standards or series of standards are of particular relevance for manufacturers and distributors: the ISO 2700x series of standards, the IEC 62443 series of standards and the ISO 8102-20 standard. The first two series of standards, while not directly related to the lift industry, enable manufacturers and distributors to address the topic of cybersecurity comprehensively. On the other hand, the ISO 8102-20, published in 2022, explicitly deals with the cybersecurity of lifts.

The ISO 27001 standard details general requirements with a classic information-technology (IT) security model suitable for a wide range of institutions of all sizes. It offers an ideal starting point that can be subsequently expanded upon with industry-specific requirements. More specifically, it addresses the processes of implementation, monitoring, maintenance and consistent optimization of information security management systems (ISMS). 

The IEC 62443 series of standards describes the cybersecurity requirements for industrial automation and control systems (IACS), which apply to any company that utilizes them, including manufacturers, system integrators and operators. Experts in the field regard IACS as belonging to the “operational technology security” (OT security) sector, as IACS deal with operational technological systems rather than traditional IT systems. For a more integrated approach, IEC 62443 also highlights how component manufacturers, integrators and system operators should collaborate with one another. A holistic overview like this is essential when considering the array of obligatory legal steps one must undertake to introduce a lift system to the market.

The ISO 8102-20 standard not only expands upon the IEC 62443, but is also the first to fully detail the specific cybersecurity requirements for lifts, escalators and moving walks. Moreover, it specifically mentions lift system components and goes over their corresponding security requirements, of which only components with data exchange points are relevant. This series of standards also references security levels (SLs) to convey the extent to which protection is required. More information on security levels and corresponding cybersecurity measures can be found in the IEC 62443 standard, part 3-3.

A lift system operates by dividing its respective functions into four domains: Essential, Alarm, Safety and Others. Under the “Essential” domain are functions such as operational controls. “Alarm” functions include the emergency alert system, and “Safety” functions are in place to guarantee the lift operates securely for the user. Lastly, functions that fall under the “Others” domain are those which do not pertain to operational safety, e.g., advertising displays, and therefore are not designated any SLs.

Safety-related components with programmable electronic systems must not only adhere to the previously mentioned security means, but also to specific functional safety standards. This applies to all systems rated with a safety integrity level (SIL) classification. Each function within a lift system that is operated electronically and involved in the functional safety of the device must be classified under the Safety domain. Electronic emergency stop controls, for example, would apply. An in-depth list of electrical safety functions in lift systems is provided under Annex A of DIN EN 81-20:2020.

SLs apply not only to lift components linked directly to safety, but also to all elements of a lift system in the Essential, Alarm and Safety domains, such as general controls, door mechanisms, fire-monitoring devices and emergency-call systems. Additionally, lift operators in Germany need to familiarize themselves with Technical Rule for Safety in the Workplace (TRBS) 1115 Part 1 to ensure that they are meeting all current requirements (see text box).

Security Levels Versus SILs

In the field of functional safety, the terms SLs (security levels) and SILs (safety integrity levels) are not to be conflated. A high SL rating is preceded by an assessment that the respective component must be protected against well-trained and ambitious attackers. It suggests that a specific component being cybersecure is paramount and should therefore be maximally protected. A high SIL, on the other hand, indicates the equipment has a high level of dependability and should therefore function with high reliability. One could expect components with high SIL to have a high SL, but there is no direct correlation between the two.

According to the IEC 62443 standard, SLs fall under two categories: a universal SL that generates an overall security rating of a piece of equipment, and an SL vector. SL vectors are more all-encompassing than general SLs, defining and rating the various specific aspects of security within a particular piece of machinery. SLs are conducted in compliance with “FRs” — “foundational requirements,” or the basic procedures vital to an effective security approach. Things like access control, encryption, authentication, data security and emergency recovery also fall under this category (see Table 1).

When It Comes to Safety, Prioritize Prevention

The sooner action is taken to integrate cybersecurity measures into a lift system, the more effectively said measures can minimize both the risk and possible repercussions of a cyberattack. In the long run, preventive measures may not only reduce later effort and inconvenience, but also save on costs. This makes comprehensive familiarity with the ISO 8102-20 and IEC 62443 standards crucial to the process of implementing cybersecurity measures in lifts.

With their voluntary certifications, independent service providers like TÜV SÜD guarantee systems are compliant with applicable regulations, codes and standards. Such elective accreditations provide manufacturers and distributors extra assurance that their connected lift systems and components are aligned with cybersecurity guidelines, international regulations and, when applicable, the TRBS 1115 Part 1 Technical Rule for the German Market.

For more information, visit Cibersecurity Services for Lifts.