27 October 2022
August 2022 will go down in history as a landmark date for the elevator and escalator industry. This was the month from which manufacturers all over the world could download ISO 8102-20 and know that, if they were to build to the specifications outlined in the document, the cybersecurity of their products would be carefully considered from the very start.
ISO 8102-20 distills three years of work by multiple industry bodies, experts, and individual manufacturers into 34 game-changing pages. KONE wasn't just along for the ride – three senior team members were on the working group, and KONE Leading Expert Ari Kattainen convened it.
"I'm not originally a cybersecurity expert, I'm more aligned with the functional safety side of what we do," says Kattainen, "so being involved in the creation of this new cybersecurity standard was incredibly interesting. My main goal was to bring together the various experts in the working group effectively so that there was a really good atmosphere and dialogue."
Benefits for customers, end-users, and the environment
Adhering to the new ISO standard – now a KONE priority – is not only a way to demonstrate to customers that their systems will feature best-in-class cybersecurity for many years to come, it also means that end-users can enjoy an efficient, seamless service.
"Cybersecurity is like a foundation," says Kattainen. "It means we are safely able to have products which are connected to the external world. And without this connection to the external world, people flow is not so efficient."
The cybersecurity protection that the new standard brings will ensure that when connections are made in order to update systems remotely, the risk of outside interference is minimized. "You're not opening up a portal for somebody to come in and hack the system and try to disrupt it in some way," says Kevin Brinkman, Senior Director of Codes for America's National Elevator Industry, Inc. (NEII).
This comes with positive environmental implications, too. Secure systems that can be updated remotely mean that KONE can reduce the number of times an engineer needs to visit an elevator or escalator to maintain it.
What was especially of interest for Kattainen – as well as his working group KONE colleagues Jussi Valkiainen, Head of Product and Application Security, and Mika Katara, IoT Security Manager – was seeing not just what was required for the new standard, but why it was required. "That really takes things to the next level," he says.
Understanding the role of standards in cybersecurity
It is the growth of smart cities and interconnectivity, Valkiainen says, that has driven the need for a new international standard for cybersecurity in elevators, escalators and moving walkways.
"Around five or six years ago," he explains, "digitalization and connectivity started to appear in our sector and there was a realization among many of the manufacturers that by introducing connectivity we were also introducing cybersecurity risk. We needed a way to protect against that."
But what risk? Kattainen, for one, can list multiple worst-case scenarios, threats that the working group had to envision when 'war-gaming' what they needed to protect against.
These ranged from a hacker targeting an elevator’s alarm phone to a denial-of-service attack, in which a ‘bad actor’ could disable elevator cars and demand a ransom.
The new standard helps manufacturers protect against such risks, and also therefore avoid the reputational damage that could follow if a security breach leads to negative publicity, Kattainen points out.
Industry competitors convene to put safe products first
The new standard clearly points to an industry that is taking cybersecurity incredibly seriously.
"There were existing cybersecurity standards for other industries but nothing specific to the uniqueness of the lift industry," says the NEII’s Kevin Brinkman. "We thought a standard would help with that, so NEII first created a set of guidelines as a starting point and then we reached out to the International Organization for Standardization, the European Lift Association and the CEA – the Chinese Elevator Association – among others."
ISO supported the idea of a new international standard, and the working group was set up to explore this. "Ari did a great job as the convener," notes Brinkman, “and he made sure that the comments and thoughts of all relevant parties were considered.”
"We had a very good group of experts and were able to move along in a timely manner," says Brinkman. "We had a new standard in less than three years, which is pretty unusual. The participants might have been competitors, but when it comes to safety and making sure the products that they put out there are going to provide a reliable and safe product for the customer and the mechanic who has to work on them, we're talking with the same voice."
Existing IEC 62443 standard offers a running start
In creating the new standard, the working group didn't have to start from scratch – an existing IEC Standard provided a solid base from which to build.
"We didn't want to reinvent the wheel," says Valkiainen. "Quite early on, we decided that we would refer to the cybersecurity for industrial control systems standard IEC 62443 and basically derive the requirements for elevator and escalator control systems from that."
KONE was already deeply familiar with IEC 62443, having developed its DX class elevators in accordance with its requirements. In fact, KONE has recently been awarded a higher level of certification for IEC 62443-4-1, moving up from “maturity level” ML2 to ML3.
This means, says Valkiainen, that KONE now has documented proof of having carried out all of the steps in the development process that IEC 62443-4-1 stipulates. It is yet another example of KONE's commitment to world-class cybersecurity.