As the industrial world becomes increasingly digitalised and connected, cybersecurity is now essential for the safe operation of critical systems. After all, software errors or hacker attacks could pose risks to human safety.
If you operate any critical systems (e.g. pressure vessels, elevators, potentially explosive installations, fuel stations, gas filling stations), you are required to document potential cyber threats in your risk assessment and implement any measures that may be required. As an accredited inspection body, we will review your cybersecurity documentation to verify compliance with the applicable regulations.
Critical systems include elevators, pressure vessels and installations in potentially explosive atmospheres such as fuel stations and gas filling stations. Once you have conducted an up-to-date risk assessment, you must use the results to implement appropriate technical and organisational measures to protect your critical systems against digital threats.
What do you need to do now?
Please make sure that your documentation of potential cyber threats is available on the day of the inspection (do not submit it beforehand).
The German Ordinance on Industrial Health and Safety (BetrSichV) lays down various health and safety requirements for the use of work equipment, which also includes critical systems subject to monitoring. As part of the risk assessments required under the legislation, operators must also take into account potential cyber threats.
In 2019, the Federal Institute for Occupational Safety and Health (BAuA) published a recommendation (EmpfBS 1115) as to how employers and operators are to manage risks arising from cyberattacks on safety-related measurement and control systems. This has since been formalised into a Technical Rule (TRBS 1115, Part 1) that outlines how to identify and mitigate cyber threats as part of the risk assessment required under the BetrSichV.
This means that all operators are responsible for considering potential cyber threats in their risk assessments.
As an operator / employer, you are legally obliged to identify potential cyber threats within the scope of your risk assessment and to implement measures if those cyber threats could pose risks to your employees or other persons. When conducting the inspections required under the BetrSichV (before commissioning, after significant changes and on a recurring basis), the accredited inspection body will review the results of your risk assessment for systems subject to monitoring (e.g. elevators, installations in potentially explosive atmospheres, pressure vessels).
The above cybersecurity requirements do not apply to systems whose safety features are solely mechanical or analogue in nature and whose operation cannot be endangered by cyber threats. In this context, “analogue” means there are no components processing digital data – or capable of being reprogrammed – and the safe operation of the systems cannot be compromised by a cyberattack.
If your risk assessment does not include any documentation covering cyber threats, this does not necessarily mean that a cyberattack would pose a risk to people. As an accredited inspection body, TÜV Hessen will assess whether cyber threats are relevant for the system in question and whether any further action needs to be taken.
Ensuring safe operation is the responsibility of the employer or system operator. Although manufacturers must comply with EU directives and national product safety laws, these currently do not contain any binding regulations on cybersecurity risks. However, manufacturers and fitters are fundamentally obliged to take all necessary precautions to ensure that their systems can be operated safely and as intended.
Yes. While cybersecurity requirements for manufacturers are not yet specifically regulated by law, operators are already responsible for ensuring safe operation. This discrepancy can result in corresponding findings during inspections. In light of the above, it may be a good idea to involve TÜV Hessen in a supervisory role throughout various phases of a system’s lifecycle to evaluate cybersecurity aspects at an early stage. We can provide support even before systems are put into operation (i.e. during the planning stage).