ISO 8102-20 provides industry-specific cybersecurity requirements for elevator systems. A compact summary of the requirements.
Scope
The standard describes requirements for cybersecurity in the following lifecycle phases of the so-called "Equipment under Control" (EUC):
- Development (including secure development processes)
- Manufacturing
- Installation
- Operation and maintenance
- Decommissioning
It applies to new EUC that can be connected to external systems such as building networks or cloud services, but not to existing installations prior to the standard's publication date.
The standard is primarily aimed at product suppliers and system integrators, while the operator's ("asset owner") responsibility is indirectly supported through appropriate documentation and recommendations.
Structure and content
The ISO 8102-20 defines the following central aspects:
Secure development lifecycle
Integration of a secure development process based on the principles of IEC 62443-4-1. This includes risk analysis, threat modeling, and continuous improvement of security measures.
Security requirements for products and systems
Definition of security controls for essential, safety-critical and alarm functions of the EUC. Security objectives such as authentication, data integrity and availability are prioritized.
Verification and validation
Obligation to carry out security tests such as penetration tests, vulnerability scans and independent reviews.
Security incident management
Processes for reporting, assessing and remediating security incidents as well as for the timely distribution of security updates.
Provision of information
Documentation for operators on recommended security measures, configuration requirements and secure disposal.
Context and relation to IEC 62443
ISO 8102-20 complements IEC 62443 by defining industry-specific requirements for EUC. The standard refers directly to IEC 62443-4-1 (secure development process) and IEC 62443-4-2 (technical security requirements). It also uses the security level model of IEC 62443-3-3 and provides specific requirements for alarm, safety and essential functions.
A central difference lies in the application focus: while IEC 62443 generally targets industrial communication networks, ISO 8102-20 addresses the specific risks and requirements of elevators and escalators, for example with regard to their connectivity to building networks and cloud services.
The close alignment with IEC 62443 ensures high compatibility and enables manufacturers to leverage existing certification processes.
Conclusion
ISO 8102-20 is a valuable tool for manufacturers and integrators to systematically address the cybersecurity of elevators, escalators and moving walkways. Its orientation to IEC 62443 ensures a consistent implementation of proven security standards, while its industry-specific requirements help facilitate compliance with current and future cyber regulations.
ISO 8102-20 does not stand alone but sits alongside other requirements such as IEC 62443, the machinery regulation, CRA or RED. If you would like to clarify what role the standard plays for your products, development processes or approvals, this can be arranged and structured in a non-binding conversation.