Click Image to Enlarge

Lifts can no longer be assumed to be closed-loop systems without any connection to the “outside world”. Modern and modernised older lifts alike can be both digital and connected. Internet access and Wi-Fi enable predictive maintenance and permanent monitoring to be carried out, e.g. improving availability. However, this also involves greater scope for attacks and therefore risks. By publishing TRBS 1115-1, the legislator shows that this hazard potential must not be neglected. But what kind of threats cause lift systems to need protection? What are the risks resulting from cyber-threats? And what constitutes proportionate action?

TRBS 1115-1 defines the following requirements

Every operator of an equipment subject to monitoring has the obligation to draw up a hazard assessment, keep it up to date and review it periodically. The hazard assessment must now also consider cyber-threats to the lift’s safety-related measurement and control devices, but also to all other lift installations where relevant. The procedure remains the same: Identification of potential hazards, evaluate the risk and, where present, reduce to a tolerable level by taking suitable actions. TRBS 1115-1 and other regulations about cybersecurity of lift systems provide guidance by specifying a security level for all lift components. Two standards are particularly helpful in connection with the cybersecurity of lift systems.

Click Image to Enlarge

Safety-related measurement and control devices include programmable components in lifts that are responsible for the safe operation and protection of people and goods.

Various lift security levels

Last year, ISO 8102-20 was published. It is the first standard directly addressing the cybersecurity of lift systems and refers to an internationally established series of standards on industrial cybersecurity, the IEC 62443. The ISO 8102-20 standard classifies lifts into three security-related domains and assigns security levels and specific measures to all components of a lift system. The aim is to bring potential threats under control. Even where no safety-related measurement and control devices are concerned, manipulations of other areas might also result in hazardous states of operation. The different domains need to be secured as follows:

1. “Safety” – this domain includes safety-related measurement and control devices, such as digital safety gears and speed governors with SIL. Manipulation may deactivate safety functions, such as tripping the speed governor.

2. “Essential” – components relevant for operation, including the control system, frequency converters, door controllers and many more. Possible consequences of manipulation of the parameters of, say, door controllers might lead to hazards, while manipulation of the levelling position may lead to stumbling.

3. “Alarm” – including the emergency call system. Manipulation may result in failure to forward an emergency call by a trapped passenger, thus preventing rescue, or may enable eavesdropping on passengers’ conversations.

Click Image to Enlarge

The risk assessment now also includes cyber-threats

How lift operators protect their systems

Regardless of the national scope of the TRBS 1115 part 1, lift operators can either draw up a hazard assessment for their lift systems or expand their existing hazard assessment by adding cyber-threats. In doing so, they must look at all relevant components and installations, which can cause hazards, in accordance with ISO 8102-20 and IEC 62443. By identifying affected components, the operators shall consult the above standards to determine the necessary actions.

Click Image to Enlarge

The first step is to check all safety-related measurement and control devices. Are they adequately protected against cyber-attacks?

For the majority of the around 800,000 monitored lift systems in Germany, sometimes only the emergency call and the control system are classified as digital cyber-relevant components. As a proportionate measure, adequate physical protection or password protection may be sufficient, under certain circumstances, to significantly impede access and reduce the risk of manipulation to a tolerable level. Approved monitoring agencies support operators with independent technical expertise in this regard.

Text: Thomas Schröder, Cybersecurity Expert, TÜV SÜD Industrie Service Photos: TÜV SÜD, Freepik

Text: Thomas Schröder, Cybersecurity Expert, TÜV SÜD Industrie Service  Photos: TÜV SÜD, Freepik

More information: tuvsud.com/lifts-and-escalators