IEC TS 63074 sets clear requirements for cybersecurity in safety-related control systems. This summary highlights the most important changes.
From technical report (TR) to technical specification (TS)
A Technical Report (TR) offers general guidance and background information but does not contain mandatory requirements. A Technical Specification (TS), by contrast, defines concrete requirements and best practices relevant for compliance and implementation.
The decision to convert IEC 63074 into a Technical Specification was driven by the growing importance of cybersecurity in functional safety. As industrial automation systems become more connected, cyberattacks pose a serious threat to safety-related control systems.
By becoming a TS, the IEC ensures that the integration of safety and cybersecurity is handled more systematically, with clear requirements for risk assessment, security measures and verification processes.
New features in IEC TS 63074
The new Technical Specification introduces several significant changes that were not included in the Technical Report version.
Cybersecurity and functional safety (new section 6)
One of the most important additions is section 6, which deals with cybersecurity risks in safety systems for machine safety. This section:
- Defines safety risks related to functional safety.
- Describes possible cyber threats and attack vectors.
- Introduces protective measures, including:
- Multi-factor authentication
- Network segmentation
- Data encryption
- Tamper protection
Structured safety risk management
The TS introduces a detailed risk assessment process and defines response strategies to minimize threats. This includes:
- Triggers for security risk assessments (Annex B) - events that require a reassessment of safety risks.
- Approaches to threat modeling (Annex A) - identifying potential attack points and vulnerabilities.
- Mitigation strategies, including software protections, remote access controls and system integrity checks.
Concrete security measures
Unlike the TR, which offered general recommendations, the TS contains specific security measures to ensure the safe use of safety-related control systems (SCS). These include:
- Authentication and access control measures to prevent unauthorized changes.
- Measures to preserve data confidentiality to protect safety-critical data from cyberattacks.
- Incident response mechanisms, such as logging security incidents and notifying system administrators.
Information flow between stakeholders
The TS version introduces a new example (section C.3) that describes how information should be exchanged among:
- Device manufacturers
- Machine builders
- System integrators
- Machine end users
This ensures that security updates, patches and vulnerability information are communicated efficiently.
Important differences between IEC TR 63074 and IEC TS 63074
The following table summarizes the main differences:
| Aspect | Technical Report (TR 63074:2019) | Technical Specification (TS 63074:2023) |
|---|---|---|
| Purpose | Informative guidance on safety risks in functional safety | More binding technical specification with concrete requirements |
| Structure | Conceptual discussion of safety risks | More structured requirements with specific protective measures |
| Cybersecurity | Cyber risks briefly mentioned | Separate section (chapter 6) on cybersecurity and functional safety |
| Risk assessment | General discussion of safety risks | More detailed approach to assessing and responding to safety risks |
| Protective measures | General recommendations | More concrete protective measures (authentication, encryption, access control) |
| Annexes | Conceptual explanations | Includes threat modeling, risk assessment triggers and use cases |
| Alignment with IEC standards | Limited reference to IEC 62443 | Direct alignment with IEC 62443, ISO 27001 |
| Use cases | Descriptive scenarios | Detailed examples for design and operational phases |
Significance of the update
The new TS version gives machine manufacturers clear requirements for how security measures for safety-related control systems (SCS) should be developed and implemented. It also ensures that companies follow the IEC 62443 series for cybersecurity and integrate security systematically into functional safety.
System integrators now have a structured approach to assess security risks in machine automation. The defined protective measures help ensure that safety functions are not compromised.
With increasing connectivity, machine operators are particularly exposed to cyberattacks. The new TS ensures that operators receive clear security policies, including verification of security measures, handling of security updates and patches, and protection of industrial automation against cyber threats.
Conclusion
The conversion of IEC TR 63074 (Technical Report) to IEC TS 63074 (Technical Specification) is a significant step forward for the safety of functional control systems in industry.
With clear security requirements, the new Technical Specification provides a structured and practical framework to protect safety-related control systems (SCS) against cyber threats.