IEC TS 63074 provides clear requirements for cybersecurity in safety-related control systems. All key changes at a glance.
From technical report (TR) to technical specification (TS)
A technical report (TR) provides general guidance and background information but does not contain binding requirements. A technical specification (TS), on the other hand, defines concrete requirements and best practices that are relevant for compliance and implementation.
The decision to convert IEC 63074 into a technical specification was driven by the growing importance of cybersecurity in functional safety. As industrial automation systems become increasingly connected, cyberattacks pose a serious threat to safety-related control systems.
By converting it into a TS, the IEC ensures that the integration of safety and cybersecurity is more systematic, with clear requirements for risk assessment, security measures and verification processes.
With the transition to a technical specification, many manufacturers are asking which parts of IEC TS 63074 are actually mandatory to implement. If you want to clarify this distinction for your machines or control systems, a short classification discussion can be useful.
New in IEC TS 63074
The new technical specification introduces several significant changes that were not present in the technical report version.
Cybersecurity and functional safety (new section 6)
One of the most important additions is section 6, which deals with cybersecurity risks in safety systems for machine safety. This section:
- Defines safety risks related to functional safety.
- Describes potential cyber threats and attack vectors.
- Introduces protective measures, including:
- Multi-factor authentication
- Network segmentation
- Data encryption
- Protection against tampering
Structured safety risk management
The TS introduces a detailed risk assessment process and defines response strategies for safety risks to minimize threats. This includes:
- Triggers for safety risk assessments (Annex B) - events that require a reassessment of safety risks.
- Approaches to threat modelling (Annex A) - identification of possible attack points and vulnerabilities.
- Mitigation strategies, including protective measures for software, remote access control and system integrity checks.
Concrete security measures
Unlike the TR, which offered general recommendations, the TS contains specific security measures to ensure the safe use of safety-related control systems (SCS). These include:
- Authentication and access control measures to prevent unauthorised changes.
- Measures to preserve data confidentiality to protect safety-critical data from cyberattacks.
- Response mechanisms for security breaches, e.g. logging of security incidents and notifying system administrators.
Information flow between stakeholders
The TS version introduces a new example (section C.3) describing how information should be exchanged between:
- Device manufacturers
- Machine manufacturers
- System integrators
- End users of machines
This ensures that security updates, patches and vulnerability information are communicated efficiently.
Key differences between IEC TR 63074 and IEC TS 63074
| Aspect | Technical report (TR 63074:2019) | Technical specification (TS 63074:2023) |
|---|---|---|
| Purpose | Informative guidance on safety risks in functional safety | More binding technical specification with concrete requirements |
| Structure | Conceptual discussion of safety risks | More structured requirements with specific protective measures |
| Cybersecurity | Cyber risks briefly mentioned | Dedicated section (clause 6) on cybersecurity and functional safety |
| Risk assessment | General discussion of safety risks | More detailed approach to assessing and responding to safety risks |
| Protective measures | General recommendations | More concrete protective measures (authentication, encryption, access control) |
| Annexes | Conceptual explanations | Includes threat modelling, triggers for risk assessments and use cases |
| Alignment with IEC standards | Limited reference to IEC 62443 | Direct alignment with IEC 62443, ISO 27001 |
| Use cases | Descriptive scenarios | Detailed examples for design and operational phases |
Significance of the update
The new TS version gives machine manufacturers clear instructions on how to develop and implement security measures for safety-related control systems (SCS). It also ensures that companies align with the IEC 62443 series for cybersecurity and integrate security systematically into functional safety.
System integrators now have a structured approach to assessing security risks in machine automation. The defined protective measures ensure that safety functions are not compromised.
With increasing connectivity, machine operators are particularly exposed to cyberattacks. The new TS ensures operators receive clear security policies, including checks of security measures, handling of security updates and patches, and protection of industrial automation against cyber threats.
Conclusion
The change from IEC TR 63074 (technical report) to IEC TS 63074 (technical specification) is a significant step forward for the security of functional control systems in industry.
By providing clear security requirements, the new technical specification offers a structured and practical framework for protecting safety-related control systems (SCS) against cyber threats.
IEC TS 63074 noticeably raises expectations for manufacturers, integrators and operators of safety-related control systems. If you want to understand the concrete implications for your products or projects and how to proceed in a structured way, this can be discussed in a non-binding consultation.