EtherCAT, the industrial networking technology, already meets Security Level 2 requirements under the EU’s Cyber Resilience Act without any modification, according to the EtherCAT Technology Group.
The organisation is preparing optional protocol extensions aimed at more demanding use cases, while TÜV SÜD works with the group on a formal assessment report.
The push comes as cyber security and cyber resilience move to the forefront for manufacturers, who now face tougher legislation in Europe and beyond. Rules increasingly require risk assessments, evidence of countermeasures, and reliable disclosures about the cyber resilience of products.
EtherCAT, a fieldbus system built on Ethernet but designed to operate without the layers of IT networking, differs fundamentally from typical Ethernet-based systems. Because EtherCAT devices process data on the fly using dedicated chips, they avoid many common vulnerabilities associated with IT stacks. The architecture also separates the EtherCAT segment from the wider IT network, with the controller acting as a choke point that sharply limits the attack surface.
Once the controller is secured, the system cannot be accessed from the Internet or a company network; physical access to the EtherCAT segment would be required. EtherCAT uses raw Ethernet frames rather than the Internet Protocol, whereas most malware depends on IP for routing.
Frames not native to EtherCAT are discarded by the chips, and devices are unable to manipulate data not addressed to them, even in the event of compromised firmware. Unused ports can be deactivated by the controller, which can also detect devices inserted into the network, including non-EtherCAT hardware.
Martin Rostan, Executive Director of the EtherCAT Technology Group, said the organisation is confident that EtherCAT already aligns with IEC 62443 and the Cyber Resilience Act for almost all common industrial applications, without requiring protocol changes.
IEC 62443 underpins industrial cyber-security standards globally, and forms the basis of the EU’s Cyber Resilience Act. For applications needing exceptionally high levels of security, the group is developing optional protocol enhancements that require no hardware revisions. It is also preparing a certification authority to allow members to sign and authenticate device description files and software in a consistent manner.
TÜV SÜD is preparing a test report assessing EtherCAT’s cyber resilience under IEC 62443. While its experts broadly concur with the group’s conclusions, the final assessment has not yet been published.
