Cybersecurity is often seen as technically intriguing but complex, especially at lower automation levels and among users. This article aims to dispel some of these assumptions and offers practical insights into effective cybersecurity implementation, addressing key questions such as:
• Is non-networked OT affected too?
• What is my risk at the field level?
• Can cybersecurity be user-friendly?
• Are patches necessary, and should they be applied?
The myth of safety: Are offline drives truly safe?
The belief that drives not connected to the internet are safe is misleading. Headlines about production stoppages due to cyberattacks highlight the importance of resilience in automation. While traditional preventive measures often focus on the control level, downstream components can pose significant risks.
Cybersecure variable frequency drives (VFD) from Danfoss enable efficient field protection with minimal complexity. A common misconception is that cybersecurity is only relevant for drives connected to the internet or when IT and OT infrastructure overlap. However, system boundaries are frequently crossed, such as through laptops used in both networks.
Risk management and solutions for VFDs
Cybersecurity is a collaborative effort: Through cascading measures, the risks of an attack can be reduced layer by layer. This means that a very strong firewall between IT and OT does not necessarily require an equally potent solution at the control or converter level.
The internationally recognized standard IEC 62443 for cybersecurity in automation classifies risks and corresponding measures into Security Levels (SL), ranging from SL1 to the highest requirements SL4. While higher security levels like SL2, SL3, or SL4 may be needed for plants and machinery, SL1 is often sufficient for field components like converters.
A drive can specifically cause damage through manipulated speeds, so IT/OT security gaps must never compromise functional safety. Additionally, there is the possibility of accessing the network through vulnerabilities, such as in a fieldbus stack. The potential damage from a manipulated drive varies and must be assessed by the machine builders or operators.
"In most applications, security level SL1 will be sufficient for drives, given upstream security mechanisms at the machine or plant level"
Danfoss variable frequency drives – Cybersecure and user-friendly
Under the EU Cyber Resilience Act (CRA), Danfoss will exclusively market cybersecure drives by the end of 2027, with reporting obligations for potential vulnerabilities already fulfilled starting in 2026. Danfoss is certified according to IEC 62443-4-1. You can already integrate Danfoss drives into your plants and machinery to meet security level SL1 with the help of corresponding guidelines. Models like FC 280, FC 302, VACON 100, and NXP will soon have certified security measures. User management, a central element, can meet SL2 requirements. All devices implement the necessary separation of functional safety from cybersecurity, ensuring a safe stop if functional safety is compromised. Cybersecurity does entail restrictions, such as password management, which can be challenging in service situations. Danfoss drives allow user management activation only when needed, with customizable roles tailored to different needs.
Many OEMs must comply with the CRA too and the deadline is sooner than many realize. Especially machines / plants which require a certain installation time can be critical as they must comply with the CRA at the point of the factory acceptance test (FAT). Assuming the FAT takes place on 31.12.2027 and the duration of shipment / installation / commissioning is 12 months, then the deadline for having secure components in place is end-2026. Considering an internal component qualification period results in a tough timeline. However, Danfoss drives will be available in time to meet the OEM requirements.
A class of its own: Danfoss iC7 series
The Danfoss iC7 series is the world's first “secure-by-design" drive, with cybersecurity considered from the initial product concept. While conventional devices can achieve a maximum security level of SL2, the iC7 series supports levels up to SL4, thanks to an integrated crypto chip that enables internal data encryption and secure certificate handling as well as other security mechanisms.
Initially meeting security level SL1, the iC7 series facilitates designing systems with higher security requirements down to the drive level. Like other converters from Danfoss, user-friendly commissioning and simple handling in the service case are the focus.
Regardless of the industry, the use of versatile frequency converters makes a difference. The new iC7 frequency converter generation offers motor control and maintenance functions as well as integrated encryption for powerful systems that maximize uptime and ensure competitiveness.
OPC UA: Secure communication from Control Level to Field Level
Secure communication is rare in standard fieldbuses. OPC UA offers a solution by enabling secure communication paths. It also allows for device backup, update, and restore. Security updates for field devices can be centrally managed via OPC UA: secure data, install the update, and restore the backup. The iC7 drives and power converters support OPC UA activated via a license, without additional hardware requirements. OPC UA can be used alongside existing communication paths like PROFINET, or through separate network structures.
Beyond secure VFDs
By the end of 2027, drive manufacturers must market secure drives. However, devices alone are insufficient. If a security gap is discovered, the market must be informed and security updates provided.
As a user you must be able to handle secure devices during commissioning and operation. Further you must decide whether applying the security update is necessary or could affect machine or plant operation, similar to IT devices today. Danfoss supports you in these steps, providing information, tools, and assistance in assessing the necessity of updates.
"Cybersecurity is not just an option, but a duty for companies aiming to secure uptime and protect systems."
Conclusion
Ensuring cybersecure uptime is vital for business success. Implementing the right technologies and practices protects systems, maximizes uptime, and maintains competitiveness. Review and optimize your cybersecurity strategies to unlock the full potential of your operations. With Danfoss solutions, you are equipped to meet the challenges of the digital world and operate your systems securely and efficiently. Let's shape the future of industrial automation together and elevate your operations to the next level. Our experts are available to support you developing and implement a comprehensive cybersecurity strategy tailored to your company's needs.
An investment in cybersecurity is an investment in the future of your company. Digital transformation offers enormous opportunities - and also risks. However, with the right security measures, you can minimize risks to leverage opportunities and maintain good usability at the same time.
By Michael Burghardt,
Director Strategic Business Development,
Industrial Machinery at Danfoss Drives.