Industrial Cyber Security

In an age of rapid technological progress, new innovations such as the Internet of Things (IoT), artificial intelligence and robotics are opening up great opportunities. They enable more efficient production, flexibility and new business models. The more machines, systems and production processes are networked with each other, the larger the attack surface becomes: vulnerabilities that previously existed in isolated systems can suddenly be exploited through communication links or open interfaces. Such gaps in industrial cyber security not only harbor risks of business interruptions and high economic losses, but can also pose direct physical dangers, for example if safety-relevant control systems are manipulated. Above all, this is a threat to the industrial cyber security of Industry 4.0.

Many companies underestimate the connection between IT and OT (Operational Technology), meaning that security measures often take effect too late. Legal requirements, such as EU regulations, standards like IEC 62443 or directives like NIS2, are increasingly demanding that security concepts are considered holistically at an early stage in order to achieve comprehensive industrial cyber security. Only proactive protection, ongoing risk management and integrative security architectures can ensure long-term trust, stability and protection in networked industrial environments.

The increasing networking of machines and systems makes it essential for companies to deal intensively with industrial security. In addition to the growing technical risks, legal requirements that will become mandatory in the coming years also play a key role. The aim of these regulations is to identify risks within industrial cyber security at an early stage, prevent attacks and thus ensure the security of companies, employees and end customers.

The most important requirements at a glance:

• Cyber Resilience Act (CRA):
  The CRA obliges manufacturers to equip their products with appropriate security standards and to provide security updates over the entire life cycle. This is to ensure that devices and software are permanently protected against attacks.

• NIS 2 Directive:
  This directive will be binding from October 2024 and affects companies in numerous sectors, from energy and transportation to healthcare and digital infrastructure. It already applies if a company has more than 50 employees or a turnover of more than €10 million. NIS 2 is aimed at both IT and OT departments and includes product suppliers.

• Radio Equipment Directive Delegated Act (RED DA):
  The RED-DA stipulates that radio equipment and devices with communication interfaces, such as routers, IoT devices or smart home products, must meet safety requirements before they can be placed on the market.

• EU Machinery Regulation (MVO):
  In future, the MVO will regulate not only the physical but also the digital protection of machinery. This applies to manufacturers of complex systems as well as producers of smaller devices with communication interfaces. The aim is to minimize security risks right from the design and development stage.

Industrial IT security, especially OT security (Operational Technology Security), deals with the protection of production and industrial plants against intentional or unintentional manipulation and cyber attacks. This results in a critical interface between classic IT security (e.g. office systems, networks, software, data processing) and OT security, which includes production control, machines and physical systems.

While confidentiality and data protection are often paramount in the IT environment, system availability is the top priority in the OT domain, as production downtimes have immediate economic and sometimes also security-related consequences.

A holistic industrial IT security concept is therefore required:

• Clear definition and implementation of interfaces between IT and OT zones down to machine level
• organizational and technical measures that control both digital and physical access
• Continuous monitoring, incident response and updates over the entire product lifecycle to address new vulnerabilities and changing threat situations

This interplay between IT and OT security makes it possible to make production processes more stable, comply with safety regulations and minimize risks, both for systems and for employees.

Industrial security aims to ensure the availability, integrity and confidentiality of machines, systems and their data and processes.

• Availability: Systems and processes should run reliably and failures should be avoided in order to minimize production downtime and economic losses.
• Integrity: Data and control commands must not be manipulated, either by deliberate attacks or unintentional changes.
• Confidentiality: Only authorized persons or systems may have access to sensitive information

• Integrated firewall
• Protection of unauthorized software downloads through Secure Boot
• Access and user management
• Password protection with defined rules
• Cryptographic password encryption in accordance with BSI TR-2102
• Patch and update management
• Protected OS on delivery through pre-configuration
• Penetration tests
• Certified development process according to IEC 62443-4-1
  

Attacking systems at all can have various motives, even if these are not obvious at first glance.

• Blackmail:
  Disruption of production processes that is only reversed against payment of money, e.g. with the use of ransomware
• Industrial espionage:
  Theft of business-critical information and know-how
• Political motivation:
  Attacks on critical infrastructure as part of a “cyber war”
• Demonstration of power:
  Causing maximum damage without a specific target
• Demonstration of feasibility:
  Attacks to improve the resilience of the systems

In August 2025, we made a new software version available for download that covers compliance with the regulatory requirements of the RED.

The extension through the EN-18031 standard fulfills important requirements in the area of network integrity and cyber security. This further development brings numerous improvements in the areas of security, resilience and system monitoring and is an important step towards future-proof application development on our devices.

The new software affects the device families:

• MR-L2 Router
• MC100 Terminal/Gateway/SensorBox

The new software version may result in changes to the behavior of existing applications, particularly in sensitive areas such as:

• Password management
• Cryptographic keys
• System resilience
• Monitoring mechanisms

We recommend checking existing applications for compatibility at an early stage and adapting them if necessary. Detailed documentation and a migration guide are available for download.

• Greater security through standard-compliant implementations
• Greater control over critical functions
• Better stability in operation under demanding conditions

Stay up to date – we will inform you shortly about the exact release date and the resources available for the changeover.