ISO 8102-20 provides industry-specific cybersecurity requirements for elevator systems. All requirements are compactly summarized.
Scope
The standard specifies cybersecurity requirements for the following lifecycle phases of the so-called "Equipment under Control" (EUC):
- Development (including secure development processes)
- Manufacturing
- Installation
- Operation and maintenance
- Decommissioning
It applies to new EUC that can be connected to external systems such as building networks or cloud services, but not to existing installations predating the publication of the standard.
The standard is primarily aimed at product suppliers and system integrators, while the operator's ("asset owner") responsibility is supported indirectly through appropriate documentation and recommendations.
Structure and content
The ISO 8102-20 defines the following central aspects:
Secure development lifecycle
Integration of a secure development process according to the principles of IEC 62443-4-1. This includes risk analysis, threat modeling and continuous improvement of security measures.
Security requirements for products and systems
Definition of security controls for essential, safety-related and alarm functions of the EUC. Security objectives such as authentication, data integrity and availability are prioritized.
Verification and validation
Obligation to perform security tests such as penetration tests, vulnerability scans and independent assessments.
Management of security incidents
Processes for reporting, assessing and mitigating security incidents as well as for timely distribution of security updates.
Provision of information
Documentation for operators about recommended security measures, configuration requirements and secure disposal.
Relationship to IEC 62443
ISO 8102-20 complements IEC 62443 by defining industry-specific requirements for EUC. The standard refers directly to IEC 62443-4-1 (secure development process) and IEC 62443-4-2 (technical security requirements). It also uses the security level model of IEC 62443-3-3 and provides specific requirements for alarm, safety and essential functions.
A key difference lies in the application focus: while IEC 62443 targets industrial communication networks in general, ISO 8102-20 addresses the specific risks and requirements of lifts and escalators, for example regarding their connectivity to building networks and cloud services.
The close alignment with IEC 62443 ensures high compatibility and enables manufacturers to leverage existing certification processes.
Conclusion
ISO 8102-20 is a valuable tool for manufacturers and integrators to systematically address the cybersecurity of lifts, escalators and moving walkways. Its alignment with IEC 62443 ensures a consistent implementation of proven security standards, while its industry-specific requirements help facilitate compliance with current and future cyber regulations.