CEN ISO/TR 22100-4:2020

SLOVENSKI STANDARD
01-februar-2021
Varnost strojev - Povezava z ISO 12100 - 4. del: Navodilo proizvajalcem strojev za
upoštevanje povezanih vidikov IT-varnosti (kibernetske varnosti) (ISO/TR 22100-
4:2018)
Safety of machinery - Relationship with ISO 12100 - Part 4: Guidance to machinery
manufacturers for consideration of related IT-security (cyber security) aspects (ISO/TR
22100-4:2018)
Sicherheit von Maschinen - Zusammenhang mit ISO 12100 - Teil 4: Leitlinien für
Maschinenhersteller zur Berücksichtigung der damit verbundenen IT-Sicherheits-
(Cybersicherheits-) Aspekte (ISO/TR 22100 4:2018)
Sécurité des machines - Relation avec l'ISO 12100 - Partie 4: Titre manque (ISO/TR
22100-4:2018)
Ta slovenski standard je istoveten z: CEN ISO/TR 22100-4:2020
ICS:
13.110 Varnost strojev Safety of machinery
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

CEN ISO/TR 22100-4
TECHNICAL REPORT
RAPPORT TECHNIQUE
April 2020
TECHNISCHER BERICHT
ICS 13.110
English Version
Safety of machinery - Relationship with ISO 12100 - Part 4:
Guidance to machinery manufacturers for consideration of
related IT-security (cyber security) aspects (ISO/TR
22100-4:2018)
Sécurité des machines - Relation avec l'ISO 12100 -
Partie 4: Titre manque (ISO/TR 22100-4:2018)

This Technical Report was approved by CEN on 6 April 2020. It has been drawn up by the Technical Committee CEN/TC 114.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2020 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN ISO/TR 22100-4:2020 E
worldwide for CEN national Members.

Contents Page
European foreword . 3

European foreword
The text of ISO/TR 22100-4:2018 has been prepared by Technical Committee ISO/TC 199 "Safety of
machinery” of the International Organization for Standardization (ISO) and has been taken over as
of which is held by DIN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of ISO/TR 22100-4:2018 has been approved by CEN as CEN ISO/TR 22100-4:2020 without any
modification.
TECHNICAL ISO/TR
REPORT 22100-4
First edition
2018-12
Safety of machinery — Relationship
with ISO 12100 —
Part 4:
Guidance to machinery manufacturers
for consideration of related IT-security
(cyber security) aspects
Reference number
ISO/TR 22100-4:2018(E)
©
ISO 2018
ISO/TR 22100-4:2018(E)
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

ISO/TR 22100-4:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General characterization of safety of machinery versus IT-security .3
4.1 Principle objectives . 3
4.2 Different elements of risk . 4
4.3 Consequences for risk assessment process . 5
5 Relationship to existing legal and standardization framework regarding safety of
machinery . 5
5.1 Legal framework . 5
5.2 Standardization framework – Relationship to ISO 12100 . 5
6 Relationship between safety of machinery and IT-security . 5
7 Essential steps to address IT-security over the whole life cycle of the machine .7
8 Generic guidance for assessing IT-security threats regarding their possible
influence on safety of machinery . 8
9 Roles to address IT-security issues with possible relevance to safety of machinery .9
10 Guidance for machine manufacturers to address IT-security issues with possible
relevance to safety of machinery .11
10.1 General .11
10.2 Selection of appropriate components (hardware/software) .11
10.3 Appropriate machine design .12
10.4 Instruction handbook (guidance to the machine user) .12
Annex A (informative) Example of a legal framework.14
Bibliography .15
ISO/TR 22100-4:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 199, Safety of machinery.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
A list of all parts in the ISO 22100 series can be found on the ISO website.
iv © ISO 2018 – All rights reserved

ISO/TR 22100-4:2018(E)
Introduction
Internet, digital services and technology are important enablers for smart manufacturing, which is one
part of internet of things (IoT) (see ISO/IEC 20924). For the manufacturing environment, the foundations
are vertical networking and horizontal integration across the entire value chain, convergence of
design, ordering, delivery and manufacturing capabilities. This results in the transformation of
conventional value chains and the emergence of new business models. Smart products based on smart
manufacturing know many details on how they were made, their performance and how they are being
used. The physical product is linked to its digital representation, and the digital content depends on
lifecycle phase. Implementing smart manufacturing creates an efficient and highly responsive package
by leveraging existing manufacturing systems, as well as technological and economic potential. Smart
manufacturing increases the vulnerabilities of machinery to IT-security threats.
Smart manufacturing leads to the emergence of dynamic, real-time optimized, self-organizing value
chains. An appropriate regulatory framework is therefore necessary, as well as standardized interfaces
and harmonized business processes. Smart manufacturing is characterized by:
a) increased product flexibility;
b) new intrinsic built-in product properties;
c) flexible work organization;
d) changed scale (up to a lot size 1) and location of manufacturing.
For smart manufacturing, the description of the network infrastructure needs to be further expanded
to enable privacy, self-configuration and ease of use. Therefore, there is a need for fast available, robust
and secure communication networks.
The primary purpose of this document is to address aspects on safety of machinery that can be
affected by IT-security attacks related to the direct or remote access to, and manipulation of, a safety-
related control system(s) by persons for intentional abuse (unintended uses). IT-security attacks are
increasingly becoming a potential threat to the safety of machinery. Although intentional abuse falls
outside the scope of ISO 12100 and the (safety-related) risk assessment process, it is reasonable also for
machinery manufacturers to consider such threats.
Current technologies enable machinery to be monitored and/or improved regarding their performance
remotely by adjusting parameters without having to be on site at the machine. This ability provides
considerable benefits as machinery can be kept operating without the downtime and associated costs
of a field service person making a service call.
However, this same capability to adjust machine parameters to improve performance lends itself to the
possibility for persons with nefarious or criminal intent to make adjustments that can put workers and
others at risk of harm. For example, speeds or forces can be adjusted to dangerous levels, temperatures
can be lowered below a kill step level resulting in food contamination, or error codes or messages c
...