Fraunhofer Institute for Production Technology IPT
Fraunhofer Institute for Production Technology IPT
Manager Technician Industrial Engineer working and control robotics with monitoring system softwar
© iStock.com/ipopba

Security for manufacturing networks

By incorporating IT and OT security from the very beginning, companies can fully leverage the benefits of connected, digital production – leading to efficient processes, greater flexibility, and seamless collaboration.

© iStock.com/ipopba

Cybersecurity, computer hacker with hoodie and obscured face, computer code overlaying image
© Igor Stevanovic/stock.adobe.com

White Paper "Cybersecurity in Networked Production"

more info

© Igor Stevanovic/stock.adobe.com

NIS2 Directive: Is your company affected?

In response to the increasing number of cyberattacks, the European Union introduced the NIS2 Directive in 2023 to strengthen cybersecurity in industrial production. This directive defines legal measures that must be implemented by all suppliers and companies of critical economic and social importance. SMEs in particular are addressed.

more info

IT security in production

Cyberattacks cause billions in damages – even in manufacturing. The European Union is responding with new laws, standards, and guidelines on cybersecurity. For small and medium-sized enterprises (SMEs), it is becoming increasingly difficult to keep track of complex security requirements, recognize their relevance, and take appropriate measures.

Security is not a nice-to-have, but a legal obligation

Digital transformation opens up enormous potential for manufacturing companies, but also poses new risks. Increasing connectivity, AI-powered systems, AR/VR, and intelligent production processes are creating more and more vulnerabilities to cyberattacks. Particularly affected: heterogeneous IT/OT environments and outdated legacy systems.

With the NIS 2 Directive, the Cyber Resilience Act (CRA), and the revised EU Machinery Directive, the EU requires manufacturing companies to secure their systems comprehensively and in compliance with the law. These requirements are binding: non-compliance can result in fines and financial losses.

Harnessing the Potential of IT and OT Security

Beyond defending against threats, well-secured IT systems can also have a positive impact on manufacturing value creation: Secure communication between machines or with suppliers, for example, can help reduce storage space and improve product quality.

What we offer

  • Clear guidance through the maze of standards
  • Customized security strategies for your industry
  • Integration of IT/OT security into existing systems
  • Support with risk analysis, implementation, and documentation
  • Positioning your company for the future

Overcoming challenges together: We’re here to support you!

NIS-2

We support you in

  • assessing NIS-2 relevance
  • identifying security vulnerabilities through gap analyses
  • establishing an Information Security Management System (ISMS) as well as implementing reporting obligations and incident management
  • selecting appropriate protective measures for your IT and OT systems
  • practical training for employees and managers to strengthen security awareness

Cyber Resilience Act

We support you in

  • assessing the CRA relevance of your products and business models
  • the integration of “Security by Design,” in compliance with the IEC 62443 series of standards
  • the preparation of risk analyses, CE marking, and technical documentation
  • establishing processes for vulnerability management, updates, and patch strategies
  • developing continuous security and market monitoring

EU Machinery Directive

We support you in

  • identifying affected machinery and the requirements of the EU Machinery Directive
  • the integration of IT security into machine safety assessments and risk evaluations
  • CE marking, including technical documentation
  • the development of secure networking solutions and practical training

Real-world application examples

Expand all Close all

Secure OT-cloud interface for SMEs

Challenge

A manufacturing company wanted to transfer operating information and sensor data from its industrial automation and control system (IACS) to a cloud environment. However, the IACS was designed for use in isolated fieldbus systems – without the necessary security mechanisms to be seamlessly integrated into the existing IT and security architecture.

Our solution

We analyzed the existing system architecture, including all relevant OT assets, communication paths, protocols, and interfaces. Based on detailed threat modeling and risk assessment, we developed a tailored security concept. By introducing a security gateway as a secure communication point, we successfully implemented a defense-in-depth strategy based on the zero-trust principle.

Result

  • Compliance with current security requirements and regulatory guidelines according to NIS-2
  • Secure and scalable connection to cloud environments
  • Protection of production processes through a multi-layered security architecture
  • Clear distribution of roles and responsibilities in security management
  • Greater trust among customers and partners through demonstrable IT security

Entering the market securely: Product security audit for product manufacturers

Challenge

A manufacturer of industrial automation solutions wanted to launch a new connected product –comprising hardware, software, and cloud components – on the European market. The challenge: a lack of internal expertise in industrial security compliance and insufficient documentation in the development process. At the same time, the company had to comply with regulatory requirements such as the Cyber Resilience Act (CRA).

Our Solution

We conducted an Industrial Product Security Audit (IPSA) based on the IEC 62443 series of standards. This involved analyzing existing processes, establishing a secure product development lifecycle (PDLC), and performing a systematic threat and risk analysis. We defined technical requirements for components and translated them into concrete recommendations for action, while training and supporting employees throughout the entire process.

Result

  • Compliance with regulatory requirements in accordance with CRA
  • Minimization of cyber risks and enhanced product security
  • Transparent development processes build trust among customers and partners
  • Competitive advantage through demonstrable security compliance

EU Compliance: An Overview of Key Laws and Regulations

Expand all Close all

  • With the entry into force of the Network and Information Security 2 Directive (NIS2) in spring 2023 – which must be transposed into national law by October 18, 2024 – the European Union is sending a clear signal. This directive expands the definition of security-critical key sectors to include companies in the manufacturing industry.

    It requires companies to implement appropriate technical and organizational measures to protect their IT and OT systems and to report cyber incidents immediately. The goal is to increase resilience against cyberattacks across Europe and ensure a uniform level of security. For many companies, NIS-2 marks the first time they face direct legal responsibility in the area of cybersecurity – with specific requirements, liability provisions, and penalties for violations.

    That is why we assess whether the NIS 2 Directive applies to your company and support you in its implementation so that you can meet the compliance requirements.

  • With the Cyber Resilience Act (CRA), the European Union is setting another milestone in the field of cybersecurity. The regulation, which came into effect at the end of 2024, requires manufacturers and providers of digital products to implement comprehensive security measures – across the entire product lifecycle.

    The goal of the CRA is to establish a uniform level of protection for so-called “products with digital elements.” These include, among others, connected devices, software, and industrial control systems. In the future, companies must demonstrate that their products meet fundamental security requirements – from development and market release through to updates and support. Reporting obligations for security incidents are also stipulated.

    The focus is on manufacturers, distributors, and importers, who will be required in the future to ensure IT security already during development (Security by Design) and throughout the entire lifecycle of their products. The CRA requires, among other things, risk analyses, regular security updates, the remediation of vulnerabilities, and clear documentation.

    For many companies, the CRA represents a fundamental shift in development, quality assurance, and product responsibility – with clearly defined obligations, CE marking requirements, and market surveillance measures in the event of non-compliance.

    That is why we assess whether your products fall within the scope of the CRA and support you in its implementation – in a practical and targeted manner.

  • With the EU Machinery Regulation (EU) 2023/1230, the European Union is setting the course for modern, safe, and digital machinery legislation. The regulation entered into force on July 19, 2023, and will be binding in all member states as of January 20, 2027.

    The focus is on the safety and conformity of machinery and related products – taking into account digital technologies such as software, artificial intelligence, and remote access. The regulation sets clear requirements for design, risk assessment, and documentation. New obligations for manufacturers, importers, and distributors are also established, including CE marking and market surveillance.

    For manufacturing companies, this means that IT security is becoming an integral part of machine safety – and thus also a prerequisite for CE marking.

    That is why we analyze for you whether and how the new Machinery Regulation affects your products and support you in its secure implementation – from risk management to technical documentation.

You may also be interested in

IT/OT Test Lab for Cybersecurity Scenarios

The “CSII” research project supports industrial companies in complying with the NIS2 Directive, the EU Machinery Regulation, or the CRA.

About the project

5G-Sierra: Secure 5G Infrastructures

In the 5G-Sierra research project, Fraunhofer IPT is developing secure 5G use cases for networked, adaptive production.​

About the project

Downloads