Cyber security in industrial radio remote control systems quality in control
Cyber security in industrial radio remote control systems Contents Introduction Cyber security in a global environment Joint efforts to address cyber security Europe: Cyber Resilience Act (EU) 2024/2847 HBC’s position Security responsibilities in industrial control applications HBC’s responsibilities as a supplier of control hardware Product requirements Incident handling and vulnerability handling Technical standards and references: The IEC 62443 framework How is security implemented at HBC? How can HBC support to make your system secure? Product development and design Product lifecycle support Conclusion Contact us Terms and definitions Disclaimer References Change History 3 3 4 4 5 7 8 10 10 11 14 14 15 15 16 16 17 18 19 19
Introduction Managing cybersecurity has long been a core responsibility of managing IT systems. Information technology (IT) is the technology backbone of any organization. It is necessary for monitoring, managing, and securing functions such as communication, finance, human resources, and other applications in the data center and cloud. Strong IT security has long been identified as the only possible answer to the growing risk of cyberattacks in a fully globalized environment. Organizations and users alike are increasingly aware of the risks related to using unsafe IT tools or infrastructures, and of the need to invest regularly into enhancing their IT environments. Operational technology (OT), on the other hand, is the hardware and software used for connecting, controlling, monitoring, managing, and securing an organization‘s industrial operations and machines. Businesses engaged in activities such as manufacturing, mining, oil and gas, utilities, and transportation, among many others, rely heavily on OT. Robots, industrial control systems, SCADA systems or programmable logic controllers (PLCs) are examples of OT. OT and IT network infrastructure may employ similar elements, including wireless technology, data interfaces, network protocols, or switches. IT devices are usually off-theshelf, replaceable systems which have a short life cycle (<5 years) and are typically relatively easy to maintain. In contrast, OT devices tend to be purpose-built, so they generally include specialized software and protocols tailored to the application. They are typically designed for a much longer lifetime, as industrial sites are built to operate for many years or even decades. OT devices usually cannot be updated as easily and as often as IT devices because accessing them in remote locations or harsh environments is often difficult. In all cases, modifications to OT devices can have numerous consequential effects on the industrial process. OT devices control the physical world, while IT systems manage data and applications. It is also worth noting that safety is critical for OT much more than for IT. Even though the risks associated with vulnerable corporate IT systems are tremendous, a security breach in an OT device can have truly dangerous consequences in the physical world of an industrial process. In their decision-making process, leaders responsible for OT systems must account for the threats to life and health in critical infrastructure and heavy machinery. Your HBC radio remote control system is an excellent example of an OT device. It represents the interface between the human operator and a machine, or an industrial process, where machine and operator safety has long been a strong priority of machine manufacturers. While functional safety engineers have been able address the risks associated with intended use and unintentional yet foreseeable misuses of the OT device, designing cyber-secure systems requires anticipating attacks carried out intentionally by malicious agents. Cyber-attacks by various agents have become a reality for IT and OT systems alike. When it comes to running critical infrastructure, or highly inter-connected industrial environments, it is clear that accidents and unwanted damage are not the only risks to consider. Manufacturers and operators of OT must also be prepared to face cybercrime. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 3 of 20
Cyber security in a global environment Improving cyber resilience in operational technology is a continuous process. Even when designed to the state of the art, an OT system may still be vulnerable or become vulnerable via its connections to other devices, or as vulnerabilities are being exposed while the OT system is in use. Because of the extended service life of OT devices, maintaining and enhancing cyber security represents a challenge for manufacturers and operators alike. Joint efforts to address cyber security The need for a common approach to securing operational technology has been recognized across all industries and economic areas. A joint publication by the relevant governmental authorities of Australia, the USA, the UK, Canada, New Zealand, Germany, the Netherlands, Japan and South Korea describes six principles that must guide the creation and maintenance of a safe and secure OT environment [1]. In these principles, they stress the need to put safety first. They also argue that an OT environment can only be secure if the whole supply chain delivers security – and if people are recognized as an essential factor contributor to effective cyber security. OT is an extremely valuable asset and knowledge of the business is crucial. Wherever possible, OT should be segmented and segregated from other networks. A promising example of international partnership is the joint effort of the USA and the European Union which collaboratively developed an administrative agreement for a Joint Cybersafe Products Action Plan with the aim to advance technical cooperation and to support the goal of achieving mutual recognition in the area of cybersecurity requirements [2]. Governments and legislators worldwide have made cyber security policy an issue of strategic importance. For HBC as a European manufacturer, the publication of the EU’s Cyber Resilience Act (EU 2024/2847, or “CRA”) in December 2024 is of particular interest. After a three year transition period, compliance with the CRA will be a precondition for all manufacturers and vendors who seek to operate in the European market. Europe: Cyber Resilience Act (EU) 2024/2847 EU regulation (EU) 2024/2847 (CRA) went into effect on December 11th, 2024, for all EU members states [3]. Over the course of its three-year introduction period, the various market players must prepare for compliance with its provisions. Beginning September 11th, 2026, the CRA requires all manufacturers to report vulnerabilities and/or security incidents to the European Union Agency for Cybersecurity (ENISA). Such reporting is obligatory for all products operating in the field, regardless of when they were placed in the European market. After December 11th, 2027, all CRA requirements must be complied with. The regulation aims to safeguard consumers and businesses buying software or hardware products with a digital component. It applies to all products connected directly or indirectly to another device or network. It introduces mandatory cybersecurity requirements governing the planning, design, development, maintenance and decommissioning of such products. These obligations must be met at every stage of the value chain. The act also requires manufacturers to provide security support during the lifecycle of their products [4]. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 4 of 20
Your HBC radio remote control system includes various digital components. It is designed to interface directly with a machine or industrial process, so the CRA applies to the HBC product and to HBC-radiomatic as a manufacturer. We also provide software for the design and maintenance of our products. Such software also falls within the scope of the CRA. HBC’s position HBC has long considered cyber security requirements in the design of our products, and as we work towards CRA compliance, our product portfolio will be continuously updated to address the latest findings related to cybersecurity research and international regulatory efforts. While our R&D work today is closely aligned with and timed to the EU’s CRA, we are also observing standardization activities in other markets. As our fully CRA-compliant products become available, we will be in close exchange with our customers to coordinate these products’ introduction into our customer’s applications. After December 1st, 2027, all products offered by HBC will comply with the CRA, which will be signified by our CE marking. Our entire organization, encompassing our German headquarters as well as seven subsidiaries in the USA, Canada, France, Spain, the Netherlands, Switzerland and India, will also comply with all requirements prescribed for product lifecycle support and incident handling. We have made the conscious choice to offer the same high level of security to all markets worldwide. By using globally applicable technical standards such as the IEC 62443 family (issued by the International Electrotechnical Commission), or NIST SP 800-82r3 (issued by the National Institute of Standards and Technology, US Department of Commerce [5]), we can provide a solid foundation for customers who want to enhance their level of security worldwide. In short: Any HBC radio remote control system delivered after December 1st, 2027 will be CRA-compliant. Note that CRA requirements do not apply to spare parts or replacements for HBC systems that have been placed on the market before December 2027. It will be possible to provide repair or other service work on in-use systems. However, after September 11th, 2026, HBC has a duty to report any vulnerability which might be revealed over time on any system in service. Security responsibilities in industrial control applications It is crucial to note that cyber resilience requirements must be met throughout the entire supply chain, and different actors need to not only assume their direct responsibilities, but to also jointly adopt responsibility for overall security. It quickly becomes obvious that cyber security cannot be achieved by one party alone, as various threats and attack-vectors are imaginable at each step of the supply and implementation process. As stated in the principles above, the whole supply chain must commit to deliver security. Figure 1 shows how the relevant actors along the supply chain work together to achieve this goal. It is useful to differentiate between the software supplier, the supplier of an OT device (e.g. a control or automation system), the system integrator (e.g. machine manufacturer) and the operator of a machine or process (or plant operator). Details on the different responsibilities of various actors along the supply chain can be found in [6] and in VDI/VDE 2182 [7]. An analysis of important assets, threats and attack-vectors need to be carried out at each stage of each chain. Such analysis will usually be part of a risk assessment procedure which weighs the severity of the possible consequences of a successful cyber-attack (i.e. the damage or disruptive potential involved) against the probability of such an attack actually occurring. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 5 of 20
Figure 1 Roles and relationships of different actors along the supply chain according to [6] Security requirements that can be derived from such an analysis will likely be formulated as design goals for the upstream supply chain. The technical information and documentation necessary to implement a particular security measure will likely be passed on downstream so that the security measure can be successfully integrated to support the overall security of the complete system. HBC-radiomatic is a good example of a supplier of an OT device – the radio remote control system. HBC has extensive inhouse software development capabilities, and almost all of our software is created by HBC’s software engineers. But also in case where external software, or elements thereof, is integrated by HBC, we assume the role of the responsible software supplier and apply the utmost care selecting and assessing appropriate software components before they can be used in our systems. In our typical business environment, our customers will be original equipment manufacturers (OEM), machine manufacturers, or system integrators who are in charge of assessing security measures as well as any other functional requirements. We rely on the cooperative and constructive exchange with our customers to define appropriate security measures for any given application. Requirements Documentation Software supplier • Analyze assets and threats • Provide approved security measures • Provide technical documentation Supplier of automation / control device / OT device • Analyze assets and threats • Implement software and hardware security measures • Provide technical documentation System integrator / machine manufacturer • Analyze assets and threats • Implement provided software and hardware security measures • Implement system security measures • Provide technical documentation Plant or machine operator / management • Analyze assets and threats • Use available software hardware and system security measures • Test, audit, validate • Train staff ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 6 of 20
All technical systems follow a lifecycle from their initial design to their decommissioning at the end of their service life. The long service life of years or decades has been acknowledged before – it represents an important challenge for sustained OT security. During the initial design phase, security engineers along the supply chain will account for known threats, and they will also try to anticipate future threat scenarios when designing for security. However, as surveillance and maintenance is a particularly long and security-critical phase of the lifecycle, it must be appreciated in its own right. As it is often the case for applications in which an HBC radio remote control system is used, remote online access is not always available for distributing software updates via the internet protocol (TCP/IP). From a threat assessment perspective, it will not always make sense to establish remote access where it is not needed for the intended OT functionality – after all, network access immediately introduces additional risk for new attack vectors and threats. It is nevertheless crucial to be aware of the necessity to provide security updates in an efficient way, and without running the risk of introducing secondary security or quality concerns. Along with initial security design, concepts for rigorous surveillance and maintenance are best considered at an early stage. Design End of Life Implementation Validation Commissioning Surveillance & Maintenance Most applications where HBC radio remote control systems are used today are not connected nor centrally managed via the internet. Therefore, updates to your HBC radio remote control are generally provided through our decentralized service network and can be deployed by the easy exchange of the respective hardware module. We support our OEM customers to develop, deploy and maintain their centralized service concepts which are routinely considered early in any joint developments. HBC’s responsibilities as a supplier of control hardware HBC operates in the business-to-business (B2B) environment and assumes the role of a control device manufacturer in the supply chain (see Figure 1). The radio remote control system is a core part of the human-machine-interface (HMI) for industrial applications and machinery. In contrast to consumer off-the-shelve products (COTS), HBC’s product solutions are regularly tailored to our customer’s operator interface specifications and will seamlessly fit to the respective operating environment. It is our business to understand our customers’ applications and requirements, to map those to our technology, and to create comprehensive solutions that perfectly fit the target application. Such approach naturally includes all aspects of HMI, such as: • machine control, • operating efficiency, • data feedback and visualization, • operator safety, with a special focus on functional safety. As users and operators worldwide become more aware of OT security, the cyber-security of the remote control system will play a bigger part in defining control solutions with our customers. Figure 2: Generic Product Lifecycle, according to [8] ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 7 of 20
Security cannot be achieved by any single component of an OT system. Together with our customers, our goal is to reach a mutual understanding of cyber security by bringing together all relevant analyses for possible threats and limitations, considering both technical risks and user behavior. An effective security implementation will address both technical and human factors. Our clear aim is to deliver a solid understanding of the security measures the HBC radio remote control system can provide, and to describe how such measures are nested within the overall system solution. With the increasing criticality of the target application (e.g., compare the operation of a nuclear power plant to that of one that makes a consumer good), the need for in-depth analysis also continues to increase. It is our mission to support our customers in this process throughout the complete lifecycle of their OT device. As a provider for comprehensive radio remote control system solutions, HBC will fulfill our responsibility to delivery security. Together with our customers, we will work towards a cybersecure solution for your target applications. Customers who are already doing business in the EU, or are planning to enter the EU market, can rely on HBC to support them for CRA compliance by December 2027. According to the CRA, various security requirements apply to our products. We discuss these in the following section. Product requirements The specific technical and procedural requirements for cyber security according to the CRA are listed in Annex 1 of the regulation [3]. The following pages represent a summary of relevant security requirements for the HBC product and HBC’s approach to vulnerability handling throughout our products’ service life (as discussed in [9]). No known exploitable vulnerabilities. HBC monitors vulnerabilities as they are disclosed. Our products undergo continuous development and improvement – we make sure our portfolio does not have any exploitable vulnerabilities at any time. Secure standard configuration. CRA-compliant products shall be delivered with a secure standard configuration. They must not exhibit a reduced security level, and the security level must take absolute priority over any commercial considerations. For HBC products, this means that in-built secure access and system authentication configurations are set at the factory. Our customers can select among various options that can be implemented according to their security requirements. At the interface between the HBC product and the machine or target application, we will deliver the solution designed to meet or exceed our customers’ risk assessment. Protection against unauthorized access can be achieved by means of appropriate authentication measures (e.g. user identification in radiomatic® report) corresponding to the required protection level of a particular function of the HBC product, or the protection level of data being processed by the HBC product. While not a mandatory standard feature, HBC does recommend the use of authentication technology and various options are available for our customers. Protection of confidentiality and data integrity. All data, including personal information, machine data, or any other, must be protected against unauthorized disclosure or modification whenever stored or processed. In the HBC product, internal data, such as data used for command and information processing, system configurations, and application-specific data, ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 8 of 20
are all encrypted. HBC’s proprietary radio telegram is also protected by encryption. Unmonitored upload or download of security or safety relevant software parameters (e.g. per smartphone app) is explicitly and strictly disabled as a matter of principle. Data minimization in the HBC product is achieved by adhering to the principle that optional functions will only be activated in response to an explicit request by the user. HBC radio remote control systems are tailored to our customers’ specific application and are optimized for data efficiency. Data efficiency is also a leading principle at the interface between the HBC system and the target machine. Personal information is only handled when required for user authentication and can be adapted to the customer’s data management requirements, including options such as user anonymization. Protection of availability. A CRA-compliant product shall uphold its basic functionality also when undergoing a denial-of-service (DoS) attack. In the context of a product relying on radio transmission, such as the HBC remote control, this topic deserves special attention. HBC can offer various technologies to strengthen the resilience of the remote control when operated in environments with dense radio communication traffic (in both licensed and unlicensed frequency ranges). Our primary goal is to provide a highly available radio remote control system that employs various options of coexistence management. Nevertheless, radio interference in the unlicensed bands is an inherent characteristic of this part of the radio spectrum. A fundamental principle of machine safety requires that RF interference overload (i.e., the equivalent of a denial-of-service attack exploiting the frequency band in which the HBC system operates) will inevitably cause the remote control system to enter its safe state – will renders all safety-related functions, such as machine movement commands, unavailable. Our customers will typically account for this principle when assessing the functional safety requirements of their application. Minimization of negative consequences for the availability of the network. This CRA requirement refers to the protection of other devices within a network that may be subject to an attack via a vulnerable network-connected product. HBC products and the machines that our products are integrated with do not form typical networks. The extent of consideration needed for this scenario depends on the specific application. The general rule for our products is: whenever an HBC product is connected to a fieldbus or a network via a serial interface, this connection will, without exception, be governed by the customers’ specification. That specification will define the intended behavior of the HBC product on the bus. Reduction of exposure to an attack: Security-related services and/or interfaces which are not typically needed shall be deactivated. HBC follows this principle in line with the criteria of data minimization and efficiency. The interface to the HBC product where threats and / or attack vectors are always considered include: the authentication (sub-)system, the radio transmission air link, and the interface between the HBC receiver and the machine. Reduction of the specific consequences of a security breach. This CRA requirement refers to the possibility for the attacker to further misuse or exploit other vulnerabilities after the initial security breach. With respect to the HBC product, the possible consequences for the secure operation of the machine can only be addressed in a joint effort with our customers. We consider this analysis an important part of the risk assessment and will naturally support our customers in the process of determining potential consequences. Security monitoring: A CRA-compliant product will monitor and log its current state so that security incidents can be understood more easily and retroactively. Security monitoring is necessarily implemented on the machine (or application, or process). The related requirements for the HBC product can be specified and established as part of the initial design process. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 9 of 20
Possibilities for updates (importantly, safety or security updates). As discussed above, the surveillance and adequate maintenance of the product during its service life is a central requirement of the CRA. For the reasons explained earlier, HBC products do not feature security patching options via the TCP/IP protocol. Vulnerabilities can, however, be effectively handled with the exchange of the hardware or software module in question. It is highly likely that to do so, physical access to the HBC product will be necessary. Incident handling and vulnerability handling In addition to the product requirements, the CRA also requires OT device manufacturers such as HBC-radiomatic to maintain an efficient process to provide rapid relief in case of a security breach. Complete documentation of components and vulnerabilities. As a matter of principle, and as has always been the case since the beginning of our business operations, HBC has kept comprehensive records of every radio remote control system delivered to the market, including full traceability of included hardware and software components (SBOM). The records are actively maintained throughout the complete service life of any of our products (typically, 10 to 20 years). Vulnerability handling, e.g. by providing security updates. If vulnerabilities are identified in the product (regardless of whether they are caused by HBC’s own code, or by third party code or software libraries), they will be remedied. Vulnerabilities are handled through the exchange of the hardware or software module in question. It is important to note that it is often the case that HBC has not been provided information about the end user of the product, but will utilize our traceability mechanisms to support necessary updates along the supply chain. Testing for security. As part of HBC’s product development, extensive tests are routinely performed. Wherever practical, products are also continuously tested. Internal tests are supplemented by additional external service providers (such as third-party penetration testing). Provision of information on vulnerabilities. HBC documents all processes and maintains all reports as required within the framework of European regulation. In particular, HBC will offer a means to exchange information with indirect 3rd parties, so that each user can easily and quickly inform us of an observed incident. Coordinated Vulnerability Disclosure (CVD). We also support our customers to the best of our ability by way of providing and maintaining information related to their processes for the identification and remedy of vulnerabilities. This ensures all users of our products along the supply chain will be informed of vulnerabilities and/or their consequences, and so that appropriate instruction can be given. Technical standards and references: The IEC 62443 framework While regulations like the CRA set the general requirements for product security, international standard frameworks, like ISO or IEC standards, detail those requirements and provide stateof-the-art implementations and approaches to meeting those requirements. It is unlikely the Conformity Assessment Bodies (CABs), charged with assessing CRA compliance, will be ready to certify before June 2026. However, even though standardization committees are only now beginning to align their standards with the CRA, manufacturers ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 10 of 20
and system integrators need to already start updating their product portfolios to be able to provide fully compliant products to OT operators by December 2027, at which time all requirements of the CRA must be met. While there is not yet a defined set of standards focusing specifically on the scope of the European CRA, a broad set of international standards dealing with cyber security are already available. Many of these standards cover cyber security in IT infrastructure and IT network, telecommunication networks, or consumer products. With respect to OT, the most widely used standards are the ISO/IEC 27000 standards family applicable to information security management, the IEC 62443 standard framework on industrial communications networks, as well as ETSI EN 303 645 addressing cyber security for consumer IoT (Internet of Things). ENISA’s “Cyber Resilience Act Requirements Standards Mapping” [8] shows that the standards mentioned above address similar aspects of cyber security and rely on similar procedures to design and maintain cyber secure products and services over the entire product lifecycle. The standards provide significant coverage across the requirements of the CRA and represent a helpful starting point for anyone preparing CRA compliance. HBC’s radio remote control systems are not connected to any public network, but are nested within the architecture of a control system in an OT environment. The IEC 62443 standard framework on “Security for industrial automation and control systems”[10] provides requirements, approaches and processes for component and system levels, as well as an overall set of security program requirements applicable for achieving a consistent security chain across the different hierarchies of a control system. While not specifically referencing radio remote control systems, this standard covers all relevant aspects to achieve an overall cyber secure OT system. In a straightforward way, we can map the standard’s security goals to the specific ecosystem of a radio remote control system, and consider the complete OT environment in which the HBC product will be integrated with. HBC relies on the IEC 62443 standard framework throughout the entire product lifecycle. Our risk analysis and overall system design is based on all published parts of IEC 62443-3. We reference all published parts of IEC 62443-4 for product design, R&D and lifecycle management as a component supplier. By means of this approach, we cover two separate aspects: • We rigorously assess typical risk scenarios for the HBC product on the OT system level. Based on such analysis, we provide our customers with an all-comprising set of information when integrating our radio control system into their OT control architecture. • By splitting the HBC radio remote control system into separated subsystems and applying both component and system level requirements, we achieve the design of a radio remote control systems which is inherently cyber-secure within itself. How is security implemented at HBC? At HBC, we perform systematic risk assessments for both safety and cybersecurity aspects for all our products. Such analysis regularly includes the design and implementation phases as well as later phase of the product lifecycle. It is likely that new threat vectors will be identified over time which are then considered in risk assessment updates. Although not all attack vectors can be emulated with reasonable effort, we submit our systems for external penetration testing wherever feasible. It is even possible to develop such tests specific to our customers’ applications. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 11 of 20
Our risk assessment covers all HBC core technologies, including: - data handling and processing of input and output commands on both the operator side (“radio transmitter”) and the machine side (“radio receiver”), - the radio link itself, accounting for the fact that our customers often operate in unlicensed frequency bands in areas with considerable radio communication traffic, - user authentication - data visualization and data processing in our various display technologies. Wireless data transmission is a useful example to understand how secure implementation is subject to re-evaluation over time. As more wireless technologies have become available in the past years, threat vectors have also multiplied. For HBC products, the radio link has always been crucial for our consideration, as due to the physical nature of electromagnetic interaction, the radio link is the part of the radio system most easily affected by third party interference. For more than a decade, HBC has provided fully encrypted radio transmission. Yet, we are continuously working to refine and harden our secure radio transmission. In recent years, the security of industrial radio remote control systems has been subject to intense study. A comprehensive survey authored by the US-Japanese security experts at TrendMicro on a broad range of attack scenarios specifically applicable to industrial remote control was published in [11]. Below, we will have a brief look at the cyber threats discussed in the survey. All these scenarios have addressed in the design and the handling of our HBC products. Capture-Replay attack This term refers to the recording and/or copying of a radio telegram (“capture”) by an attacker (equipped by the appropriate hardware), who then re-broadcasts (“replays”) the data to the machine. A threat to machine safety arises from the circumstance that the machine might receive a replay of an initially valid control signal which has not been sent by the machine operator, but by an interfering attacker with presumably malicious intent. Command Injection attack An even more advanced form of the capture-replay attack is an attack where the malicious actor not only records a telegram and replays it at a different time, but where the attacker is also able to retrace or decode the telegram structure. Therefore, if the attacker conducts a targeted analysis and identifies the location of the encoded command assigned to a particular machine operation in the data stream, the command can then be replaced by an alternative unintended command. Full command of the machine is then possible. Malicious Re-Programming Machine control systems are encoder / decoder architectures which ultimately serve the purpose of transferring a command triggered by an operating element to the respective output on the machine (or vice versa, transferring an input information from the machine to a displaying element for the operator to evaluate). The assignment of an operating element to an output element is part of the control system’s firmware, and data integrity with respect to the command definition is essential for the correct and safe functioning of the machine. Malicious Re-Pairing Radio regulations require systematic coupling (”pairing“) of the operating device (“radio transmitter“) and the component installed on the machine (”radio receiver“). Typically, this is specified in the header of the telegram by means of dedicated address information. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 12 of 20
The radio receiver will only accept telegrams if they include the expected address. In such an attack scenario, the attacker emulates the original transmitter with a correctly addressed external transmitter device and is then able to pair with the receiver and hijack the machine or the industrial process. This scenario is similar to a situation where an attacker uses a correct password to access a protected area. The authors of the study propose that a security-conscious user should make sure the pairing address is configurable and changed frequently (as it is common practice when assigning passwords). The premise is that such measures will increase the systems’ data security. We at HBC chose to disagree with this proposal and shall briefly explain our position. Considering any individual system, the proposal seems to make good sense, especially if secure and safe address data changes are consciously managed. However, according to our long experience developing, selling and providing maintenance to industrial radio systems, remote control systems cannot be regarded as remaining isolated, and in a fixed location. Instead, machines from various machine manufacturers travel from one site to the next during their service life. Many will operate on common frequency bands and may “encounter” one another in the work environment. Think, for example, about a large construction site or industrial installation, where several machine types from a variety of manufactures frequently work in radio range of one another. Address data reconfiguration and/or unmanaged changes to safety and/or security relevant data in such a setting can be extremely challenging to handle. Typically, radio control manufacturers use differing address pairing methods, but usually do not manage the machine fleets. Therefore, they do not have insight into the pairing methods or address information assigned to all machines within the radio environment. Configurable addresses (i.e. via dip switch configuration, simple code strings etc.) can introduce the possibility for address duplication. Address duplication can result in the unintentional activation and control of a machine and might lead to severe machine damage, as well as endangerment of life and limb of the operator. HBC’s position is to strictly control the use of safety and/or security relevant data content and explicitly prohibit configuration of such data by third parties. To prevent malicious re-pairing attacks, HBC’s radio remote control systems are factory-paired via a serialized, encrypted, and non-duplicated proprietary address coding, making the system secure-by-design. As a matter of principle, address data cannot be replaced or modified by an unauthorized user. However, a scenario that the survey in [11] did not consider but which we nevertheless consider very relevant is what we refer to as: Command injection at the machine (hardware) interface Customers should pay particular attention to the design of the interface of the HBC remote control receiver to the machine and access to the machine itself. HBC offers a large variety of interface solutions, starting with simple hardware driven relay, voltage, or current interfaces, up to more advanced fieldbus protocols such as, CANopen, ProfiBus or ProfiNET. It needs to be mentioned that in their standard implementation, none of those interfaces are hardened for cybersecurity. A risk can be introduced when directly accessing the machine control through command injection at the interface itself, or even by replacing the original radio remote control system with a spoofed receiver imitating its behavior at the interface. It becomes clear that the risk analysis will need to consider the relevance and probability of unauthorized physical access to the OT hardware (radio receiver or machine). If such physical access cannot be prevented, authentication mechanisms at the machine interface can be deployed to verify the identity of the HBC system when trying to establish communication with the machine’s main controllers or PLC. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 13 of 20
Note that in [11], a broad spectrum of radio remote controls by different suppliers were tested for security. In this survey, no vulnerability was revealed on an HBC system, and as can easily be verified by the interested reader, no common vulnerability and exposure (CVE) record or zero day initiative (ZDI) advisory was filed for HBC (for CVE, see e.g.[12], for ZDI, see [13]). We also notice that positive reference was made to some security-related options of HBC’s product range (e.g. radiomatic® infrakey and user identification via merlin® Transmitter User Card). Since the publication of [11], we have further hardened our security design by introducing advanced encryption on various levels of our system architecture. Making use of our highly serviceable modular approach, such as the case with our TC RF modules, it is often possible to enhance the system’s security significantly without impacting the customer interface. In a next step, CRA-compliant HBC products will feature full scale end-to-end encryption of the entire communication link between the data processor units on both ends of the control system. Furthermore, all system-specific or machine specific data stored in any location within the radio remote control system will by fully encrypted to ensure data integrity and an extremely high level of confidentiality. All encryption methods are based on the NIST Recommendation NIST SP800- 57 [14], listing cryptographic algorithms and general guidance on cryptographic key management. Such measures can further reduce the risk for the attacks referenced above. HBC will work with your requirements as the machine OEM or system integrators, for all safety or security relevant implementations - starting with the interaction of the operator with the machine via the transmitter HMI, to the interface between the radio remote receiver and the machine and its overall control system. HBC systems are designed and built according to your technical specification and to meet your risk assessments for operational, safety and cybersecurity matters. It is our obligation to map your requirements to our product technology so that you can expect to maintain the desired level of security when you connect the HBC product to your machine. How can HBC support to make your system secure? Product development and design For the whole supply chain to deliver security (see Figure 1), risk analytics and technical considerations of the various OT devices in each role and at each level need to align and match to build a comprehensive and secure OT solution. We believe that building an in-depth understanding of the integration of the radio remote control system into the over-all machine or process control system is a crucial step on the path to cyber-secure OT. We appreciate the open and constructive exchange with you at an early stage of your project. Our security experts are at your disposal to discuss your projects and ideas. For further information or questions regarding HBC’s approach to cyber security, please use to the following contact: cybersecurity@radiomatic.com ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 14 of 20
During the design phase of a joint OT solution, HBC engineers will support you by supplying: • our knowledge of the specifics of radio remote control applications; • our comprehensive knowledge of various radio link solutions; • our security risk assessment for cyber threats specifically related to wireless data transmission, the remote operation of a machine, our HBC products, and their interface options; • our products and tool sets of HBC solutions for mitigating cyber risks and for achieving appropriate security levels (SL). What you will bring to the table: • your security risk assessment for your machine and machine access (considering machine and operator levels); • your understanding of the intended use and reasonably foreseeable misuse by the operator and/or other personnel involved; • your overview of threats and attack vectors on the machine and, as far as you can foresee, threats and attack vectors for remote operation; • the expected Security Level (SL) according to IEC 62443 (or equivalent if relying on a different framework) Together we will: • analyze and answer key questions for a risk assessment combining your application and the HBC product; • define the criticality of each security aspect; • define the appropriate cyber security measures corresponding to each threat; • select the most suitable HBC product to fit the overall solution; • finalize the complete set of requirements to be implemented by HBC. For first-of-its-kind solutions, or whenever required, HBC can also initiate and/or support thirdparty assessments of a complete system setup. We recommend supporting requirement analyses in a joint effort of one or more workshop sessions, including the option of third-party participation. Workshop sessions can be offered in-house at HBC, at your site, or as a remote session. Product lifecycle support We care for our products throughout their service life. For as long as HBC has been delivering radio remote control systems, we have kept detailed documentation on every product delivered. We are aware that our products can travel far, but there is (almost) no place where we cannot help. It is our duty to make sure that our products are safe and secure – and remain safe and secure. We are currently building up our global reporting system for responsible disclosure and shall keep you updated on our progress. In the meantime, should you become aware of any incident relating to security where an HBC system is involved, please contact us at: cyberincident@radiomatic.com You help us by sharing the serial numbers of transmitter and receiver components on the type plates, typically identifying the product type and the production year (as in 810 - 25 12345 for our receiver 810 built in 2025). If possible, please also indicate where you purchased our product. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 15 of 20
Conclusion Cyber-attacks by various agents have become a reality for OT systems, such as the threat to remote controls when integrated into a customer’s application. Accidents and unwanted damage are not the only risk to be aware of. Instead, OEM and operators of OT must also be prepared to face cybercrime. The EU’s response to cybercrime is the Cyber Resilience Act. Due to the nature of the HBC product, the CRA is relevant to the design and use of an HBC product. Any HBC radio remote control system delivered after December 1st, 2027 will be CRA-compliant. During our R&D processes, we rely on the internationally renowned IEC 62443 framework. Security needs to be a continuous activity accompanied by systematic risk assessment, not unlike functional and safety improvements. Even if security measures can never be 100% effective over time, the implementation of available security measures with careful planning can bring security up to a level that is adequate for any application and installation. As security is a shared responsibility of the whole supply chain, early cooperation with our customer is necessary to achieve overall security. The customer requirement is the leading element in the design of the secure remote control. HBC supports our customers during risk assessment, concept design and implementation. A joint workshop could be a good place to start. Contact us For any inquiry relating to cyber security, please use the contact information listed above. HBC is also there to help you at: HBC-radiomatic GmbH - Headquarters Haller Strasse 45 – 53 74564 Crailsheim Germany Phone: +49 7951 393-0 info@radiomatic.com or find our local sales and service representatives at: Terms and definitions Operational technology: Programmable systems or devices that interact with the physical environment or manage devices that interact with the physical environment. OT devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Asset: An item of value to stakeholders. May be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 16 of 20
Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Vulnerability: Weakness in a system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat. CVE: The Common Vulnerabilities and Exposures system identifies all vulnerabilities and threats related to the security of information systems. To do this, a unique identifier is assigned to each vulnerability. Security: Protection against intentional subversion or forced failure. A composite of several attributes: confidentiality, integrity, availability, and accountability, usability. Safety: Freedom from conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment. Note: All above definitions can be found at the NIST National Institute of Standards at the US Department of Commerce. ZDI: Zero Day Initiative (ZDI) is an international software vulnerability initiative. The ZDI program buys various software vulnerabilities from independent security researchers, and then discloses these vulnerabilities to their original vendors for patching before making such information public. Disclaimer HBC-radiomatic GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by HBC-radiomatic GmbH. Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or liability on the part of HBC-radiomatic GmbH. ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 17 of 20
References REF Title, Publisher / URL Publication Date / Access Date [1] “Principles of operational technology – cyber security”, 2 Oct 2024. Copyright Commonwealth of Australia, 2024. Available at: https://www.cyber.gov.au/about-us/ view-all-content/publications/principles-operationaltechnology-cyber-security?utm_source=international_ partner& Accessed in March 2025 [2] “EU and United States enhance cooperation on cybersecurity: Shaping Europe’s digital future“, Press release, The European Commission, January 2024. Available at: https://digital-strategy.ec.europa.eu/en/ news/eu-and-united-states-enhance-cooperation- cybersecurity Accessed in March 2025 [3] “Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)”. Available at: http://data.europa.eu/eli/ reg/2024/2847/oj Accessed in March 2025 [4] “Cyber Resilience Act: Shaping Europe’s digital future”, The European Commission, 23 October 2024. Available at: https://digital-strategy.ec.europa.eu/en/policies/ cyber-resilience-act Accessed in March 2025 [5] “Guide to Operational Technology (OT) Security”, NIST Special Publication NIST SP 800-82r3, National Institute of Standards and Technology, US Department of Commerce, September 2023. Available at: https://csrc. nist.gov/pubs/sp/800/82/r3/final Accessed in March 2025 [6] “CODESYS Security Whitepaper”, Codesys Group, Rev. 9.1, Available at: https://de.codesys.com/fileadmin/data/ customers/security/CODESYS-Security-Whitepaper.pdf Accessed in February 2025 [7] “IT-security for industrial automation- General model“, VDI/VDE 2182, January 2020, VDI/VDE, Germany Jan 2020 [8] “Cyber Resilience Act Requirements Standards Mapping”, Joint Research Center & ENISA Joint Analysis, Publications Office of the European Union, 2024 April 2024 ©2025 by HBC-radiomatic GmbH. All rights reserved. Page 18 of 20
RkJQdWJsaXNoZXIy NDE5MTM=