Compliance with regulations and standards can make or break industrial equipment manufacturers that provide software-driven machinery to the ecosystem. However, if meeting new standards and regulations is a sign of product security cyber-resilience and quality, then it’s puzzling to see that just below half (45%) of these manufacturers are currently meeting these standards, according to our 2023 Industrial Device Security Survey.
What’s more, our survey found that the #1 priority for industrial manufacturers is complying with new regulations. Together, these findings highlight the pressing importance of understanding and adhering to applicable cybersecurity regulations and standards, mitigate risks, and build a foundation for success in a highly regulated industry.
In this blog post, we’ll explore the benefits of compliance, highlight key regulations and standards, discuss compliance challenges, and offer some best practices for industrial equipment manufacturers.
Benefits of Compliance
Compliance with regulations and standards brings numerous advantages for industrial equipment manufacturers. Let’s explore some of these benefits.
Device security, also known as Product Security, has become a focal point for regulators who are looking to clamp down on the amount of medium-to-critical vulnerabilities entering the market. The White House, EU, CISA, and other agencies have recently released documents requiring manufacturers to implement automated processes that scan for vulnerabilities and inform customers of mitigation steps to counter existing and emerging threats.
In today’s market, it’s common to find vulnerabilities that emerge when Open Source, Custom Open Source, and even in-house software go unchecked. In response, governments are facilitating communication, such as with CISA’s RVWP, and pushing for regularly scheduled vulnerability scans during both pre- and post-production.
Enhanced Product Quality and Safety
Compliance helps in implementing robust quality control measures, product testing protocols, and safety guidelines. As a result, manufacturers can enhance the overall quality of their products, reducing the risk of defects or malfunctions that could compromise user safety.
Improved Reputation and Customer Trust
Compliance with regulations and standards demonstrates a commitment to producing reliable and trustworthy industrial equipment. This commitment, in turn, enhances the reputation of manufacturers within the industry. When customers and stakeholders observe that a manufacturer is dedicated to meeting regulatory requirements and following established standards, it builds trust and confidence in the brand.
Avoidance of Legal Penalties and Financial Losses
Non-compliance with regulations can result in significant legal penalties and financial losses for industrial equipment manufacturers. By prioritizing compliance, manufacturers can mitigate the risk of such penalties, avoiding costly litigation and reputational damage that may arise from non-compliance.
The State of Compliance with Key Regulations and Standards
Below, we highlight some key regulations and standards that are particularly relevant to the industrial manufacturing industry today.
EU Cyber Resilience Act
The EU Cyber Resilience Act (CRA) is a significant regulation that focuses on enhancing the cybersecurity of critical infrastructure within the European Union. Our survey findings indicate that compliance with the EU CRA appears relatively higher among EU respondents, reaching 74%. In contrast, compliance rates for US and APAC respondents stand at 43% and 47%, respectively. This potentially points to a lack of urgency in the U.S., as legislative bodies may be looking to learn from the EU’s implementation before drafting a similar draft of their own.
NIST Special Publication 800-213 provides guidance for addressing security issues in IoT devices. Compliance with NIST SP 800-213 is crucial for industrial equipment manufacturers, particularly those operating in the United States. Our survey found that 55% of respondents are already implementing the NIST SP 800-213 standards, with 30% planning to do so in 2023.
IEC 62443-1, 62443-2, and 62443-3 are international standards that focus on the security of industrial automation and control systems. They provide guidance and requirements for implementing cybersecurity measures specific to industrial control systems. Compliance with IEC 62443 helps manufacturers strengthen the security posture of their industrial equipment, safeguarding against cyber threats and unauthorized access. We found that 54% of companies are already in compliance with these standards and 31% plan to become compliant in 2023.
NTIA Critical Elements for Software Bill of Materials
Reinforcing the Biden Administration’s Executive Order 14028, which called for greater cyber resilience across America’s infrastructure, the NTIA Critical Elements for Software Bill of Materials (SBOM) outlines guidelines for providing transparent and comprehensive information about the components and dependencies of software. Compliance with this framework assists manufacturers in creating an accurate and detailed inventory of software components used in their products. According to our survey, this NTIA framework has the second-lowest adoption rate of all, with only 48% already implementing it.
CISA Types of Software Bill of Material (SBOM) Documents
Outlining six types of software bills of material shows a stronger push by the federal government’s cybersecurity agency to standardize and utilize SBOMs. Companies will need to rely on automation to continuously update their SBOMs and be able to attest to all software components that are embedded within a device.
UL 2900-1/2900-2 are standards that provide a framework for assessing and certifying the cybersecurity readiness of industrial equipment. Interestingly, our survey found that UL 2900-1/2900-2 has higher adoption among companies with 5,000 to 10,000 employees compared to larger companies with over 10,000 employees (51% vs. 39%).
Compliance Best Practices
Some best practices for compliance with regulations and standards for industrial equipment manufacturers include:
- Putting new regulations into action: Remaining up to date on new regulations is never easy, but with the US and EU rolling out requirements that are focused on the industrial manufacturing ecosystem, it’s vital for companies who want to remain competitive.
To achieve this, companies must rely on automated requirement validation and workflows to record and document product security activities while minimizing the potential for human error.
- Establishing a product security incident response team: Companies must not only understand regulations and document vulnerabilities but also be prepared to address new threats as they arise. One way this can be done is with a multidisciplinary Product Security Incident Response Team (PSIRT), which can rapidly manage incidents as they arise while keeping customers in the loop. Currently, only 21% of companies surveyed prioritize building such a team, with larger companies more frequently marking it as a priority.
- Collaboration with suppliers and partners: Manufacturers should engage with their suppliers to ensure they also meet regulatory requirements. This includes requesting SBOMs, ensuring they have an automated vulnerability discovery and management process, and are responsible for providing updates along with quality assurance throughout the lifecycle of the product. As it currently stands, requesting SBOMs from suppliers is the most prevalent software supply chain security practice, adopted by 57% of survey respondents.
Wrapping It Up
Compliance with regulations and standards is a critical priority for industrial equipment manufacturers. However, our survey findings reveal that many companies are still working towards achieving compliance with listed regulations. By prioritizing compliance and implementing best practices, industrial equipment manufacturers can strengthen their compliance efforts, enhancing product quality, reputation, and customer trust.
For more insights into the maturity of industrial device cybersecurity processes and the main
challenges faced by today’s industrial organizations, download our full State of Critical Infrastructure 2023.