“The CRA brings the necessary regulatory pressure”

Editorial team: Mr Bieber, let's perhaps start by laying a very basic foundation: what significance does the Cyber Resilience Act have from your perspective for industrial automation and OT communication?

Thierry Bieber: We see that our industry urgently needs to address the issue of security. Production networks need to be more robustly protected - and the CRA is a central building block for this. Devices that are integrated into industrial networks will need to consider cybersecurity in the future, thus forming the basis for secure networks and secure production. Slightly exaggerated: no cybersecurity - no industrial digitalisation.

We already had security products in the past, but the market demand was comparatively limited. The CRA now brings the necessary regulatory pressure. Companies recognise that security is no longer optional. They must act and make their devices more resilient. This is the right path and we are now in a real implementation phase.

Editorial team: What role do your solutions play today and in the future in securing industrial communication?

Bieber: HMS is an expert in industrial communication - this automatically makes us the first point of contact for secure communication. Our Anybus products often form the communication interface of a device. This means we bear a high responsibility, as this interface must be completely secure.

We want to enable our customers and take as much security complexity off their hands as possible. However, it is also important to say: the communication interface does not cover everything - customers must also implement security on their side.

Additionally, we offer external devices such as gateways or firewalls that segment networks and create additional layers of security. Our focus was and is: to enable communication - and in the future always with security-by-design.

Editorial team: Many large companies are already advanced on the topic, but especially the medium-sized businesses, which represent the majority of the industry, are under enormous pressure: CRA, NIS2, AI regulation - often resources for implementation are simply lacking. Or are there other typical challenges that you frequently encounter?

Bieber: In the end, it is actually always about the topic of resources, and our survey as part of our "Industrial Network Market Study" confirms this very clearly once again:

The biggest hurdles are a lack of expertise and resources, along with unclear requirements - and of course, the additional costs burden smaller companies more heavily in proportion.

We feel this in almost every customer conversation. Many companies know they need to act, but they need guidance: where to start? What steps are sensible? What standards apply? This is where we come in, supporting these customers very intensively with expertise, recommendations, and roadmaps.

Editorial team: Are there typical pain points that recur in many companies?

Bieber: Yes. Especially in the area of fieldbuses. With modern services like web servers, it's clear: HTTPS, certificate management, user management - all known from IT. But in the field, these tools and processes are often not yet available. A second major issue is usability: even if standards exist, it often fails in practical usability.

At the field level, we are only at the beginning with many security extensions of the protocols. There are specifications, but few complete product solutions. Companies must weigh the ideal future against the pragmatic present - and it is precisely in this area of tension that we advise.

Editorial team: The CRA does not end with the market launch of a compliant product. Manufacturers must provide free security updates for at least five years, manage vulnerabilities, and inform about known security gaps within 24 hours depending on the classification. How do you support your customers in this?

Bieber: The most important thing: we implement cybersecurity internally first. Since 2021, we have been certified according to IEC 62443 4 1. This includes development processes, vulnerability management, lifecycle management, and communication with customers. So we live it ourselves.

Building on this, we have comprehensively analysed and described our product documentation, all communication channels, and security levels. We offer clear best practices and guidelines for integrating our modules.

In addition to the standard products, we also offer an IoT/security variant of our communication modules with a higher level of protection - including security chips, secure boot, signed components, encrypted communication, etc. These modules are 1:1 interchangeable, which significantly eases integration for customers.

Editorial team: Since when has your portfolio been completely geared towards cybersecurity? And did you update all products for this, or was this also the occasion to discontinue certain offerings, as other manufacturers have done?

Bieber: Our security journey began back in 2018 - driven by major OEM customers. By 2021, we were ready to be certified according to IEC 62443. The standard is an excellent foundation for CRA compliance.

Our current product families are therefore all very well positioned and will receive the 62443 4 2 certification for devices in 2026. Very old products are more challenging - we operate in a rather conservative industry, and some offerings have been on the market for over 20 years. Many customers want to operate these devices for another ten years. In automation, longevity counts.

Therefore, we are looking for pragmatic solutions: external protective measures, additional security barriers, or minor adjustments without having to discontinue the product. But yes, this is one of the biggest challenges: legacy management.

Editorial team: Do you also offer your customers a CRA assessment of their brownfield installations in this context?

Bieber: No official paid service. But we offer support in the form of workshops, consulting, and technical coordination. Customers come with the core question: "What do I need to do now?" - and we help with the interpretation of regulations, initial steps, risk assessment, and possible solutions. It is a joint learning process.

Editorial team: What actually happens when the legally required update obligation ends after five years? Could security-as-a-service become a business model?

Bieber: Mentally yes, but it is difficult to implement. Lifecycle management is becoming more important, no question. But in the device manufacturer environment, it is difficult to establish viable service models. Security must become an integral part of industrial communication - not an isolated service. Therefore, one should rather think about models around "communication-as-a-service".

Editorial team: In conclusion: If you had to recommend first steps towards CRA compliance to an SME - what would they be?

Bieber: Firstly: Clear priority from management. Cybersecurity affects processes, products, and costs. The entire company must be behind it.

Secondly: Record the current state. What devices, what communication channels, what services are available? What is already secured, what is not?

And thirdly: Risk analysis and security by design, especially with regard to the area of application of the products. Which interfaces are really necessary? What alternatives are there? Which configuration is secure? What must remain closed? Capturing and documenting this is already a big first step - because it creates the necessary transparency for the end customers.

Based on these steps, one can then prioritise, create a roadmap, and select suitable solutions. And we support this, of course - technically, consultatively, practically.

Profinet creates basis for CRA compliance

The countdown is on: from December 2027, the EU Cyber Resilience Act forces manufacturers to ensure digital security. Profinet positions the industry early - with scalable solutions for every risk analysis.

Kathrin Veigel