Comunicato

EtherCAT meets the CRA requirements for Security Level 2 without modification. Extensions are currently being prepared for particularly demanding applications. TÜV SÜD is working with the EtherCAT Technology Group on a corresponding assessment report.

Cyber security and cyber resilience are becoming increasingly important: new legislation, not only in Europe, requires appropriate risk assessment and proof of suitable countermeasures. Manufacturers are required to provide reliable statements on the cyber resilience of their products.

EtherCAT is the Ethernet fieldbus: based on Ethernet, but with the simplicity of fieldbuses and without relying on IT technologies. Common IT cyber security measures are therefore only of limited fit or are not necessary.

The special functional principle of EtherCAT – the processing of Ethernet frames on the fly by special EtherCAT chips – not only ensures the exceptionally high performance of the technology, but also its high resilience to cyber attacks. This is supported by the system architecture, which provides for a clear separation of the EtherCAT segment from the superimposed IT-based network: the controller significantly reduces the attack surface. The controller itself must, of course, be protected accordingly: then EtherCAT cannot be attacked from the outside – i.e., not from the Internet or the company network. An attack would require physical access to the EtherCAT segment. The EtherCAT device protocol also uses the Ethernet frame directly, rather than via the Internet Protocol (IP), while virtually all malware is based on IP because it needs IP for routing.

The EtherCAT chips destroy all Ethernet frames that are not native EtherCAT. Due to the chip properties, EtherCAT devices cannot manipulate data that is not intended for them – even compromised firmware cannot change this. Unused EtherCAT ports on the devices can be deactivated by the controller. The controller can even detect additional devices that have been inserted, even if they are not EtherCAT devices.

Martin Rostan, Executive Director of the EtherCAT Technology Group: “We are therefore convinced that EtherCAT already meets the requirements of the IEC 62443 standard and the CRA for almost all common applications without the need for changes or extensions to the protocol.”

IEC 62443 defines measures and processes for the cybersecurity of industrial control systems and forms the basis for the corresponding standards of the European Cyber Resilience Act.

For applications with exceptionally high security requirements, the ETG is working on protocol extensions that can be activated as needed and do not require any hardware changes. In addition, the ETG is preparing its own certification authority (CA) so that ETG members can easily and uniformly sign and authenticate EtherCAT device description files and software.

EtherCAT therefore meets the requirements of the Cyber Resilience Act without any changes to the technology, with downward-compatible extensions in preparation for special requirements.

TÜV SÜD is working on a test report on the cyber resilience of EtherCAT in accordance with IEC 62443. The experts at TÜV SÜD share the ETG's principal findings, although the final assessment report is still pending.