SIST-TS CLC IEC/TS 63074:2024

SLOVENSKI STANDARD
01-september-2024
Varnost strojev - Zaščitni vidiki, povezani s funkcionalno varnostjo varnostno
pomembnih nadzornih sistemov
Safety of machinery - Security aspects related to functional safety of safety-related
control systems
Maschinensicherheit - Sicherheitsaspekte in Verbindung mit der funktionalen Sicherheit
von sicherheitsrelevanten Steuerungssystemen
Sécurité des machines - Aspects liés à la sûreté relatifs à la sécurité fonctionnelle des
systèmes de commande relatifs à la sécurité
Ta slovenski standard je istoveten z: CLC IEC/TS 63074:2024
ICS:
13.110 Varnost strojev Safety of machinery
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
29.020 Elektrotehnika na splošno Electrical engineering in
general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION CLC IEC/TS 63074

SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION February 2024
ICS 13.110; 29.020
English Version
Safety of machinery - Security aspects related to functional
safety of safety-related control systems
(IEC/TS 63074:2023)
Sécurité des machines - Aspects liés à la sûreté relatifs à la Maschinensicherheit - Sicherheitsaspekte in Verbindung mit
sécurité fonctionnelle des systèmes de commande relatifs à der funktionalen Sicherheit von sicherheitsrelevanten
la sécurité Steuerungssystemen
(IEC/TS 63074:2023) (IEC/TS 63074:2023)
This Technical Specification was approved by CENELEC on 2024-01-22.

CENELEC members are required to announce the existence of this TS in the same way as for an EN and to make the TS available promptly
at national level in an appropriate form. It is permissible to keep conflicting national standards in force.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2024 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. CLC IEC/TS 63074:2024 E

European foreword
This document (CLC IEC/TS 63074:2024) consists of the text of IEC/TS 63074:2023 prepared by
IEC/TC 44 "Safety of machinery - Electrotechnical aspects".
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Technical Specification IEC/TS 63074:2023 was approved by CENELEC
as a European Technical Specification without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
IEC 60204-1:2016 NOTE Approved as EN 60204-1:2018
IEC 61496 (series) NOTE Approved as EN IEC 61496 (series)
IEC 61508-2:2010 NOTE Approved as EN 61508-2:2010 (not modified)
IEC 61508-3:2010 NOTE Approved as EN 61508-3:2010 (not modified)
IEC 61508-4:2010 NOTE Approved as EN 61508-4:2010 (not modified)
IEC 62443 (series) NOTE Approved as EN IEC 62443 (series)
IEC 62443-2-4:2015 NOTE Approved as EN IEC 62443-2-4:2019 (not modified)
IEC 62443-2-4:2015/A1:2017 NOTE Approved as EN IEC 62443-2-4:2019/A1:2019 (not modified)
IEC 62443-3-2:2020 NOTE Approved as EN IEC 62443-3-2:2020 (not modified)
IEC 62443-3-3:2013 NOTE Approved as EN IEC 62443-3-3:2019 (not modified)
IEC 62443-4-1:2018 NOTE Approved as EN IEC 62443-4-1:2018 (not modified)
IEC 62745 NOTE Approved as EN 62745
ISO 12100:2010 NOTE Approved as EN ISO 12100:2010 (not modified)
ISO 13849-2:2012 NOTE Approved as EN ISO 13849-2:2012 (not modified)
ISO 14119 NOTE Approved as EN ISO 14119
ISO/TR 22100-4:2018 NOTE Approved as CEN ISO/TR 22100-4:2020 (not modified)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod), the
relevant EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cencenelec.eu.
Publication Year Title EN/HD Year
IEC 62061 2021 Safety of machinery - Functional safety of EN IEC 62061 2021
safety-related control systems

IEC TS 63074 ®
Edition 1.0 2023-02
TECHNICAL
SPECIFICATION
colour
inside
Safety of machinery – Security aspects related to functional safety of safety-

related control systems
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 13.110; 29.020 ISBN 978-2-8322-6468-3

– 2 – IEC TS 63074:2023 © IEC 2023
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, and abbreviated terms . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms . 12
4 Safety and security overview . 12
4.1 General . 12
4.2 Safety objectives . 12
4.3 Security objectives . 13
5 Security aspects related to functional safety . 15
5.1 General . 15
5.1.1 Security risk assessment . 15
5.1.2 Security risk response strategy . 16
5.2 Security countermeasures . 16
5.2.1 General . 16
5.2.2 Identification and authentication . 18
5.2.3 Use control . 18
5.2.4 System integrity . 18
5.2.5 Data confidentiality . 18
5.2.6 Restricted data flow . 19
5.2.7 Timely response to events . 19
5.2.8 Resource availability . 19
6 Cybersecurity and functional safety of machinery . 19
6.1 General . 19
6.2 Aspects related to the protection against corruption . 19
6.3 Security countermeasures against corruption . 20
6.3.1 General . 20
6.3.2 Potential sources of cyber threats . 20
6.3.3 Multi-factor authentication . 20
6.3.4 Network architecture . 20
6.3.5 Portable devices . 21
6.3.6 Wireless communication . 21
6.3.7 Remote access . 21
6.3.8 Attack through direct physical connection . 22
7 Verification and maintenance of security countermeasures . 22
8 Information for the user of the machine(s) . 22
Annex A (informative) Basic information related to threats and threat modelling
approach . 23
A.1 Evaluation of threats . 23
A.2 Examples of threat related to a safety-related device . 24
Annex B (informative) Security risk assessment triggers . 26
B.1 General . 26
B.2 Event driven triggers . 26

IEC TS 63074:2023 © IEC 2023 – 3 –
Annex C (informative) Example of information flow between device supplier,
manufacturer of machine, integrator and user of machine . 27
C.1 General . 27
C.2 Example 1 – Design phase of the machine . 27
C.3 Example 2 – Use phase of the machine . 27
Bibliography . 29

Figure 1 – Relationship between threat(s), vulnerabilities, consequence(s) and security
risk(s) for SCS performing safety function(s) . 14
Figure 2 – Possible effects of security risk(s) to an SCS . 14
Figure A.1 – Safety-related device and possible accesses . 25
Figure C.1 – Example of generic information flow during design phase . 27
Figure C.2 – Example of generic information flow during use phase . 28
Figure C.3 – Example of information flow during use phase in context of IEC 62443-2-4 . 28

Table 1 – Overview of foundational requirements and possible influence(s) on an SCS . 17

– 4 – IEC TS 63074:2023 © IEC 2023
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SAFETY OF MACHINERY – SECURITY ASPECTS RELATED TO
FUNCTIONAL SAFETY OF SAFETY-RELATED CONTROL SYSTEMS

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
rights. IEC shall not be held responsible for identifying any or all such patent rights.
IEC TS 63074 has been prepared by IEC technical committee 44: Safety of machinery –
Electrotechnical aspects. It is a Technical Specification.
This first edition cancels and replaces the first edition of IEC TR 63074 published in 2019. This
edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to
IEC TR 63074:2019:
a) new Clause 6 on Cybersecurity and functional safety of machinery;
b) new Figure A.1;
c) new Clause C.3 Example 2 – Use phase of the machine.

IEC TS 63074:2023 © IEC 2023 – 5 –
The text of this Technical Specification is based on the following documents:
Draft Report on voting
44/964/DTS 44/987/RVDTS
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this Technical Specification is English.
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/standardsdev/publications.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates that it
contains colours which are considered to be useful for the correct understanding of its
contents. Users should therefore print this document using a colour printer.

– 6 – IEC TS 63074:2023 © IEC 2023
INTRODUCTION
Industrial automation systems can be exposed to security threats exploiting vulnerabilities due
to the fact that:
– access to the control system is possible, for example re-programming of machine functions
(including safety);
– "convergence" between standard IT and industrial systems is increasing;
– operating systems have become present in embedded systems, for example IP-based
protocols are replacing proprietary network protocols and data is exchanged directly from
the SCADA network into the office world;
– software is developed by reusing existing third-party software components;
– remote access from suppliers has become the standard way of operations / maintenance,
with an increased cyber security risk regarding for example unauthorized access, availability
and integrity.
In the context of the machine, the machine control system represents an industrial automation
system.
The safety-related control system of machines is part of the machine control system and can
therefore also be subject to security threats that can result in a loss of the ability to maintain
safe operation of a machine.
NOTE 1 The risk potential of attack opportunities is significant due to the trends and developments of threats and
the amount of known vulnerabilities. Security objectives are mainly described in terms of confidentiality, integrity and
availability, which in general will be identified and prioritized by using a risk-based approach.
Functional safety objectives consider the risk by estimating the severity of harm and the
probability of occurrence of that harm. The effects of any risk (hazardous event) determine the
requirements for safety integrity (safety integrity level (SIL) in accordance with IEC 62061 for
safety-related control systems or the IEC 61508 series for electrical/electronic/programmable
electronic safety-related systems, or the Performance Level (PL) in accordance with
ISO 13849-1 for safety-related parts of control systems).
With respect to the safety function, the security threats (internal or external) can influence the
safety integrity and the overall system availability.
NOTE 2 In order to ensure the security objectives, IEC 62443-3-3 defines and recommends security requirements
("foundational requirements") to be fulfilled by the relevant system.
NOTE 3 The overall security strategy is not covered in this document; further information is provided for example
in the IEC 62443 series or ISO/IEC 27001.
Measures to prevent reasonably foreseeable misuse by physical manipulation are addressed in
some machinery functional safety standards (e.g. the IEC 61496 series and ISO 14119).
NOTE 4 Measures to prevent reasonably foreseeable misuse by physical manipulation are not the same as physical
security in the IEC 62443 series.

IEC TS 63074:2023 © IEC 2023 – 7 –
SAFETY OF MACHINERY – SECURITY ASPECTS RELATED TO
FUNCTIONAL SAFETY OF SAFETY-RELATED CONTROL SYSTEMS

1 Scope
This technical specification identifies the relevant aspects of the IEC 62443 series related to
security threats and vulnerabilities that are considered for the design and implementation of
safety-related control systems (SCS) which can lead to the loss of the ability to maintain safe
operation of a machine.
Typical security aspects related to the machine with potential relation to SCS are:
– vulnerabilities of the SCS either directly or indirectly through the other parts of the machine
which can be exploited by security threats that can result in security attacks (security
breach);
– influence on the safety characteristics and ability of the SCS to properly perform its
function(s);
– typical use case definition and application of a corresponding threat model.
Non-safety-related aspects of security threats and vulnerabilities are not considered in this
document.
NOTE Non-safety-related parts of the machine control system can also be affected by security threats with possible
impact on operation of a machine, such as productivity, performance or quality. For these aspects, refer to the
IEC 62443 series.
The focus of this document is on intentional malicious actions. However, intentional hardware
manipulation (e.g. wiring, exchange of components) or foreseeable misuse by physical
manipulation of SCS (e.g. physical bypass) is not considered in this document.
This document does not cover security requirements for information technology (IT) products
and for the design of devices used in the SCS (e.g., product specific standards can be available,
such as IEC TS 63208).
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies.
For undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 62061:2021, Safety of machinery – Functional safety of safety-related control systems

– 8 – IEC TS 63074:2023 © IEC 2023
3 Terms, definitions, and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
3.1.1
asset
physical or logical object having either a perceived or actual value to a control system
[SOURCE: IEC 62443-3-3:2013, 3.1.1, modified – "the IACS" replaced by "a control system",
removal of Note 1 to entry]
3.1.2
attack
assault on a system that derives from an intelligent threat
[SOURCE: IEC 62443-3-3:2013, 3.1.3, modified – removal of Notes 1 and 2 to entry]
3.1.3
availability
ability of an item to be in a state to perform a required function under given conditions at a given
instant or over a given time interval, assuming that the required external resources are provided
[SOURCE: IEC TS 62443-1-1:2009, 3.2.16, modified – Notes deleted]
3.1.4
confidentiality
assurance that information is not disclosed to unauthorized individuals, processes, or devices
[SOURCE: IEC TS 62443-1-1:2009, 3.2.28]
3.1.5
machine control system
system that responds to input signals from the machine, a process and/or from an operator and
generates output signals causing the machine to operate in the desired manner
Note 1 to entry: The machine control system includes input and output devices, including sensors and actuators.
Note 2 to entry: “Signals” can also be data.
[SOURCE: IEC 61508-4:2010, 3.3.3, modified – The term defined has been changed, "process"
has been changed to "machine", Note to entry amended and Note 2 to entry added]
3.1.6
cybersecurity
set of activities necessary to protect network and information
systems of the machine control system, the users of such systems, and other persons from
cyber threats, typically regarding the aspects of confidentiality, integrity and availability

IEC TS 63074:2023 © IEC 2023 – 9 –
3.1.7
cyber threat
potential circumstance, event or action that could damage,
disrupt or otherwise adversely impact network and information systems, the users of such
systems and other persons, typically exploiting vulnerabilities of a machine system
3.1.8
dangerous failure
failure of an element and/or subsystem and/or system that plays a part in implementing the
safety function that:
a) prevents a safety function from operating when required (demand mode) or causes a safety
function to fail (continuous mode) such that the machine is put into a hazardous or
potentially hazardous state; or
b) decreases the probability that the safety function operates correctly when required
[SOURCE: IEC 61508-4:2010, 3.6.7, modified – in item a) “EUC” has been replaced by
"machine"]
3.1.9
functional safety
part of the overall safety relating to the machine and the machine control system that depends
on the correct functioning of the safety-related control systems and other risk reduction
measures
[SOURCE: IEC 61508-4:2010, 3.1.12, modified – "EUC" replaced by "machine", "E/E/PE safety-
related systems" replaced by “safety-related control systems”]
3.1.10
integrator
entity who designs, manufactures or assembles an integrated manufacturing system and is
responsible for the safety strategy, including the protective measures, control interfaces and
interconnections of the control system
Note 1 to entry: The integrator may be for example a manufacturer, assembler, engineering company, or entity with
the overall responsibility for the machine.
[SOURCE: IEC 62061:2021, 3.2.13]
3.1.11
machinery
machine
assembly, fitted with or intended to be fitted with a drive system consisting of linked parts or
components, at least one of which moves, and which are joined together for a specific
application
Note 1 to entry: The term "machinery" also covers an assembly of machines which, in order to achieve the same end,
are arranged and controlled so that they function as an integral whole.
[SOURCE: ISO 12100:2010, 3.1, modified – removal of Note 2]
3.1.12
network and information systems
means or devices that contribute to or participate in the
transmission or exchange of data

– 10 – IEC TS 63074:2023 © IEC 2023
Note 1 to entry: Network and information systems can be:
a) an electronic communications network within the meaning of transmission systems and, where applicable,
switching or routing equipment and other resources which permit the conveyance of signals by wire, radio, optical
or other electromagnetic means used for a machine;
b) any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform
automatic processing of digital data; or
c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the
purposes of their operation, use, protection and maintenance.
3.1.13
protective measure
measure intended to achieve risk reduction, implemented
– by the designer (inherently safe design, safeguarding and complementary protective
measures, information for use) and/or
– by the user (organization: safe working procedures, supervision, permit-to-work systems;
provision and use of additional safeguards; use of personal protective equipment; training)
[SOURCE: ISO 12100:2010, 3.19, modified – removal of Note]
3.1.14
risk
combination of the probability of occurrence of harm and the severity of that harm
[SOURCE: ISO 12100:2010, 3.12]
3.1.15
safety
freedom from risk which is not tolerable
[SOURCE: ISO/IEC Guide 51:2014, 3.14]
3.1.16
safety function
function of a machine whose failure can result in an immediate increase of the risk(s)
[SOURCE: ISO 12100:2010, 3.30]
3.1.17
safety integrity
probability of a safety-related control system satisfactorily performing the specified safety
functions under all the stated conditions within a stated period of time
[SOURCE: IEC 61508-4:2010, 3.5.4, modified –"an E/E/PE safety-related system" replaced by
"a safety-related control system", removal of Notes]
3.1.18
safety-related control system
SCS
part of the control system of a machine which implements a safety function by one or more
subsystems
[SOURCE: IEC 62061, 3.2.3, modified – Note 1 to entry omitted]
3.1.19
security
a) measures taken to protect a system

IEC TS 63074:2023 © IEC 2023 – 11 –
b) condition of a system that results from the establishment and maintenance of measures to
protect the system
c) condition of system resources being free from unauthorized access and from unauthorized
or accidental change, destruction, or loss
d) capability of a computer-based system to provide adequate confidence that unauthorized
persons and systems can neither modify the software and its data nor gain access to the
system functions, and yet to ensure that this is not denied to authorized persons and
systems
e) prevention of illegal or unwanted penetration of, or interference with, the proper and
intended operation of a machinery and its control system
Note 1 to entry: Measures can be controls related to physical security (controlling physical access to computing
assets) or logical security (capability to login to a given system and application).
[SOURCE: IEC TS 62443-1-1:2009, 3.2.99, modified – in item e) “industrial automation and
control system” replaced by “a machinery and its control system”]
3.1.20
countermeasure
security countermeasure
action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by
eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting
it so that corrective action can be taken
[SOURCE: IEC TS 62443-1-1:2009, 3.2.33, modified – addition of second preferred term
"security countermeasure", removal of Note]
3.1.21
security risk
expectation of loss expressed as the probability that a particular threat will exploit a particular
vulnerability with a particular consequence
[SOURCE: IEC TS 62443-1-1:2009, 3.2.87, modified – in the term, "risk" replaced by "security
risk"]
3.1.22
security risk assessment
process that systematically identifies potential vulnerabilities to valuable system resources and
threats to those resources, quantifies loss exposures and consequences based on probability
of occurrence, and (optionally) recommends how to allocate resources to countermeasures to
minimize the exposure
[SOURCE: IEC TS 62443-1-1:2009, 3.2.88, modified –"risk assessment" replaced by "security
risk assessment" in the term, "total exposure" replaced by "the exposure", removal of Notes.]
3.1.23
subsystem
entity of the top-level architectural design of a safety-related system where a dangerous failure
of the subsystem results in dangerous failure of a safety function
[SOURCE: IEC 61508-4:2010, 3.4.4, modified – removal of references to 3.6.7 a) within the
definition]
3.1.24
threat
circumstance or event with the potential to adversely affect operations (including mission,
functions, image or reputation), assets, control systems or individuals via unauthorized access,
destruction, disclosure, modification of data and/or denial of service

– 12 – IEC TS 63074:2023 © IEC 2023
[SOURCE: IEC 62443-3-3:2013, 3.1.44]
3.1.25
user of the machine
entity with the overall responsibility for the use of the machine
3.1.26
vulnerability
weakness of a machine control system or a countermeasure
that can be exploited by one or more threats to violate the machine control system's integrity
3.1.27
vulnerability assessment
formal description and evaluation of the vulnerabilities in a system
[SOURCE: IEC 62443-2-1:2010, 3.1.44]
3.2 Abbreviated terms
CVSS common vulnerability scoring system
DoS denial of service
IT information technology
JTAG joint test action group
LAN local area network
PL performance level
PLC programmable logic controller
SCS safety-related control system
SD secure digital
SIL safety integrity level
USB universal serial bus
VPN virtual private network
WLAN wireless local area network
4 Safety and security overview
4.1 General
The relationship between safety and security aspects can be characterized as follows:
– a machine has appropriate protective measures;
– security countermeasures applied for a machine are to be appropriate in order to avoid
degradation of the performance of protective measures that implement safety function(s)
(including safety-related data).
NOTE Persons who are qualified to implement security countermeasures are not necessarily the same people who
are qualified to implement SCS. Therefore it is reasonable to mutually exchange information and support.
4.2 Safety objectives
Safety of machinery is based on risk assessment which can be performed in accordance with
ISO 12100 and where available, by following a type-C standard for specific machine types, in
combination with the derived risk reduction measures which can be performed by safety
function(s).
IEC TS 63074:2023 © IEC 2023 – 13 –
NOTE The risk assessment, including the implemented risk reduction measures, is applied by the designers during
the development of machinery to enable the design of machines that are safe for their intended use.
Safety functions that are performed by an SCS achieve a safety integrity which is quantifiable
as SIL in accordance with IEC 62061 for safety-related control systems (or the IEC 61508 series
for electrical/electronic/programmable electronic safety-related systems) or PL in accordance
with ISO 13849-1 for safety-related parts of control systems.
4.3 Security objectives
In general terms security is focused mainly on achieving three objectives: availability, integrity
and confidentiality.
NOTE 1 Security objectives are for example:
• availability of machine(s), including safety functions;
• integrity against manipulations;
• confidentiality by means of methods commonly accepted by both the security and industrial automation
communities;
• For example, an attack on a machine (safety function) such that it affects the availability of the machine and can
result in a safety function being bypassed.
Security risks will be evaluated by using a security risk assessment in order to identify the
security objectives.
A security risk assessment is based on a product or system in its environment on which threats
and known vulnerabilities are identified. The aim of this activity is to derive relevant security
countermeasures applied for a machine to fulfil the overall security objectives.
NOTE 2 See also IEC TS 62443-1-1:2009, 5.5.
In the context of safety of machinery, the security countermeasures are intended to protect the
ability to maintain safe operation of a machine and their implementation shall not adversely
affect any safety function (see Figure 1).
NOTE 3 Essential functions in accordance with IEC 62443-3-3 include safety functions.
Due to the nature of threats and known vulnerabilities, the security risk assessment should be
event driven or periodic (periodic security review), see also Annex B.
NOTE 4 See also IEC TS 62443-1-1: 2009, 5.12, security level lifecycle.
NOTE 5 Security risk assessment and management are vital in determining exactly what will be protected and how
this can be achieved.
Figure 2 shows in safety of machinery the possible effects of security risk(s) to an SCS.

– 14 – IEC TS 63074:2023 © IEC 2023

Figure 1 – Relationship between threat(s), vulnerabilities, consequence(s)
and security risk(s) for SCS performing safety function(s)

Figure 2 – Possible effects of security risk(s) to an SCS

IEC TS 63074:2023 © IEC 2023 – 15 –
5 Security aspects related to functional safety
5.1 General
5.1.1 Security risk assessment
NOTE 1 Further information can be found in IEC 62443-2-1 and IEC 62443-3-2.
The security risk assessment relative to an SCS is part of the overall security risk assessment
of the machine in its environment and includes consideration of various phases such as design,
implementation, commissioning, operation, and maintenance.
NOTE 2 The manufacturer of the machine usually does not have sufficient information on the machine within its
environment to perform the overall security risk assessment, therefore it is typically performed by the combination of
the user of the machine and the manufacturer of the machine.
NOTE 3 IEC 62443-4-1 recommends for all products an up-to-date threat model with the following characteristics:
– correct flow of categorized information throughout the system;
– trust boundaries;
– processes;
– data stores;
– interacting external entities;
– internal and external communication protocols implemented in the product;
– externally accessible physical ports including debug ports;
– circuit board connections such as JTAG connections or debug headers which might be used to attack the
hardware;
– potential attack vectors including attacks on the hardware if applicable;
– potential threats and their severity as defined by a vulnerability scoring system, for example common vulnerability
scoring system (CVSS);
– mitigations or dispositions for each threat, or both;
– security-related issues identified;
– external dependencies in the form of drivers or third party applications (code that is not developed by the
supplier) that are linked into the application.
As part of the security risk assessment, a vulnerability assessment shall be carried out to
identify vulnerabilities (that can be exploited by threats) of the machine and the potential
influence related to safety. The following information shall be available:
– a description of the devices covered by the vulnerability assessment (e.g. mobile panel, or
any other device connected to the safety-related control system);
– a description of identified vulnerabilities that can be exploited by threats and result in
security risks;
NOTE 4 Vulnerabilities can be the result of intentional design choices or can be accidental, for example
resulting from the failure to understand the operational environment.
– a description of parts of the SCS (e.g. hardware or software) that should be protected by
security countermeasures.
The manufacturer of the machine can make some assumption about the threats in consideration
of the foreseen machine installation site and implements security countermeasure(s) based on
the vulnerability assessment.
NOTE 5 Communication between the manufacturer of the machine and the user, where possible, can address these
assumptions.
Verification shall be performed to ensure that the security countermeasure(s) are appropriate
in the context of the overall security risk assessment.
NOTE 6 Verification of appropriate security countermeasure(s) is normally performed in the machine user
environment and can require the information of assumed threats.

– 16 – IEC TS 63074:2023 © IEC 2023
Examples of aspects of the security risk assessment are given as follows:
– identified threats and their sources (including intentional attacks on the hardware,
application programs and related software);
– a description of the potential consequences (security risks) resulting from the combination
of identified threats and vulnerabilities (see Figure 1);
– the determination of requirements for (additional) measures;
NOTE 7 Additional measures can be adequate safety-related control function(s) to mitigate the consequences
of a threat, for example safety-related monitoring of limit values, additional security countermeasures,
organisational measures, or a combination of them.
– a description of, or references to, information on the countermeasures taken to reduce or
remove the threats.
NOTE 8 A safety-related control system that initially has limited vulnerability can become more vulnerable with
situations such as changing environment, changing technology, system failure, unavailability of device
replacements, personnel turnover, and greater threat intelligence.
5.1.2 Security risk response strategy
NOTE 1 The comparable term to "risk mitigation" is "risk reduction" used in safety of machinery.
Security risk response strategy should be determined during the security risk assessment and
taken into consideration in the overall security risk assessment.
Responses to security risks in the field of safety of machinery include:
a) mitigating intolerable security risks by
– avoiding the security risk by design; or
– limiting the security risk (e.g. directly by the manufacturer of the machine, or by security
countermeasures applied by the user of the machine, or countermeasures shared
between the manufacturer and the user of the machine);
NOTE 2 A security risk response strategy can be a defence in depth strategy in accordance with
IEC 62443-4-1:2018, Figure 3.
b) accepting the security risk if tolerable.
NOTE 3 If the security risk is tolerable no further action is necessary.
5.2 Security countermeasures
5.2.1 General
Any security countermeasure applied for a machine shall not adversely affect the safety function
performed by the SCS, and further investigation has to be performed, for example deeper
investigation of influences on safety by security countermeasures (e.g. response time of safety
function).
NOTE 1 Security countermeasures applied to normal operation functions (machine functions) can have an influence
on the safety function performed by the SCS.
...