Readying industrial connectivity for cybersecurity requirements
Key Highlights
- The EU Cyber Resilience Act (CRA) mandates strict cybersecurity compliance for digital products in the EU market, requiring vulnerability reporting by June 2026 and full lifecycle support by December 2027.
- Established standards like IEC 62443 are essential tools for manufacturers to translate the CRA’s broad regulatory requirements into practical, technical implementations for industrial automation and control systems.
- Industry-wide collaboration is bridging the gap between IT and OT by adapting proven commercial security practices, such as secure authentication and encryption, to meet the unique reliability and longevity needs of industrial environments.
Cyber assaults on industrial operations have resulted in all kinds of mayhem, ranging from minor inconveniences to significant production or data loss, and even physical damage due to kinetic attacks on operating equipment. Unfortunately, due to very long lifecycles, operational technology (OT) cybersecurity provisions for industrial automation have lagged in comparison with developments in commercial and consumer areas of the information technology (IT) world.
One regulatory response aimed at strengthening cybersecurity across digital systems and applicable to both hardware and software products sold into the European Union (EU), is the EU Cyber Resilience Act (CRA). Implementation of the CRA has already started, as it entered into force on December 10, 2024, and manufacturers of all digital products, including legacy, on the EU market are required to report actively exploited vulnerabilities and severe incidents beginning on June 11, 2026. Starting on December 11, 2027, full application of the CRA takes effect for all new digital products placed on the EU market, mandating CE marking, conformity assessment and lifecycle support.
The CRA is designed to strengthen cybersecurity of digital systems throughout their entire lifecycle, from initial design to eventual decommissioning. Notably, the CRA defines what outcomes are required but not how to achieve them. This gap must be addressed through industry standards and best practices, underscoring the vital role of standards organizations.
Even before the CRA, industry has been progressively improving the cybersecurity of OT hardware, software and communications, for example, with the addition of local password storage right on-board instruments. The IT world has had much more experience with handling secure authentication strategies. Fortunately, just like many other IT and commercial-grade technical developments have been adapted for reliable use in demanding industrial-grade OT applications, cybersecurity technologies are following the same path.
FieldComm Group is a standards development organization (SDO) and has actively collaborated with other SDOs for years to establish cybersecure technologies from the industrial communications protocol perspective. Technologies are actively evolving to improve cybersecurity, and FieldComm Group is working to provide the tools and frameworks needed for supporting product suppliers and implementers with CRA compliance.
Identifying cybersecurity needs
The CRA is a wide-ranging initiative generally applying to products with a digital component and connectivity to other devices or networks. It requires secure-by-design development for new products, while a risk-based approach will permit existing products with compensating measures. Consideration for product lifecycle management will provide complete transparency surrounding the features and associated updates. This harmonized approach is intended to make it more straightforward for users to identify and implement appropriate cybersecurity features, resulting in safer and more resilient critical infrastructure, along with modern manufacturing and other digital systems. Products sold into the EU market will need to be CRA-compliant, and there are penalties associated with non-compliance.
One of the most relevant OT cybersecurity standards is IEC 62443, recognized as a global benchmark focused on industrial automation and control systems (IACSs). This standard provides requirements for secure product development, system-level security practices, organizational processes throughout the IACS lifecycle and a structured risk management framework with definition of security levels (SLs). For manufacturers, adopting IEC 62443 practices is a practical way to demonstrate alignment with CRA’s essential requirements (Figure 1).
Cybersecurity challenges for OT applications
Until the past few decades, OT installations were commonly air-gapped systems and largely standalone, a method that provided a degree of cybersecurity protection. However, the ability to interconnect all types of industrial assets together and with IT resources, to improve efficiency, data sharing and decision making, has become a fundamental requirement of modern systems.
Proven IT practices for secure authentication, encryption and layered access management are finding their place in the OT domain to address cybersecurity needs for increasingly connected and networked monitoring and control applications. Because most industrial automation systems integrate a multitude of devices from various manufacturers, often using different communication protocols and even relying on different host systems within a single plant, it is essential that cybersecurity measures are both effective and easy to manage at the enterprise level.
Just as commercial technologies like Ethernet and PCs were successfully adapted for industrial environments, cybersecurity practices originating in IT are now evolving to meet OT’s unique demands for long system lifecycles, uncompromising reliability and seamless interoperability across multi-vendor ecosystems.
Collaboration is central for OT cybersecurity
The Industrial Ethernet Security Harmonization Group (IESHG) was established by FieldComm Group, Profibus & Profinet International (PI), ODVA and the OPC Foundation to address security challenges. Over time, this group has evolved to be called the Industrial Security Harmonization Group (ISHG), hosted by the same four standards organizations but opened to participation from their extended member communities (Figure 2).
Get your subscription to Control Design’s daily newsletter.
Moving forward, the ISHG will continue to collaborate on development of common specifications to enhance authorization and authentication. NAMUR Working Group 4.18 “Automation Security” has published recommendation NE 201 “Identity and Access Management on Automation Devices,” which will play a role in development of necessary authentication and authorization for OT devices.
The actions outlined above are all important first steps toward standardizing industrial-grade OT security implementations. Upcoming developments are planned for secure deployment of industrial communication covering process and factory protocols:
- EtherNet/IP
- Profinet
- OPC UA
- HART-IP
- WirelessHART
- Foundation Fieldbus
- ProfibusPA
- IO-Link
- HART 4-20mA
- DeviceNet.
Many IT technologies are relevant for OT use, and, by adapting proven IT practices into standards designed for OT, the industry is building a foundation for CRA-compliant cybersecurity that is strong and practical for deployment in complex, multi-vendor environments. Implementing effective cybersecurity throughout OT installations will require effort, but a well-trained pool of IT talent will be positioned to assist.
Supporting industrial cybersecurity readiness
FieldComm Group defines industrial communication interoperability and performs conformance testing. Addressing cybersecurity, both in general and in support of CRA, is just another facet of this work. By leveraging proven enterprise-grade IT security technologies to support the unique requirements of industrial OT systems, FieldComm Group is helping establish a transparent, standards-based framework for OT cybersecurity, with two critical objectives.
- For members: delivering standards, tools and software to ensure CRA compliance and readiness for global markets
- For industry: providing interoperable, secure solutions that protect infrastructure, strengthen resilience and enable digital transformation.
A solid foundation is developing for industrial cybersecurity, formed by the convergence of regulation, standards and collaboration. CRA sets essential requirements but not implementation guidance. IEC 62443 provides domain-specific practices, while initiatives such as ISHG are translating these into a practical, interoperable framework.
FieldComm Group provides the leadership to ensure both manufacturers and end users are equipped with the standards, tools and technologies needed to safeguard critical infrastructure, meet compliance and accelerate digital transformation in an increasingly connected industrial landscape.
About the Author
Stephen Mitschke
FieldComm Group
Stephen Mitschke is director—standards development & conformance at FieldComm Group. He provides leadership for the organization’s specifications development programs, Product Registration (Conformity Assessment) program and cybersecurity initiatives. Mitschke oversees the submission of FieldComm Group specifications to the IEC and works closely with IEC SC65 to incorporate them as international standards. With 30 years of experience in industrial communication technologies, his expertise centers on device integration, including field device integration (FDI) and process automation device information model (PA-DIM), as well as alignment with key NAMUR recommendations such as NE107, NE175 and NE176. He represents FieldComm Group in cross-industry cybersecurity efforts with Profibus & Profinet International, ODVA and the OPC Foundation, including alignment with the emerging NE201 recommendation, focusing on a risk-based approach using IEC 62443, the international standard for industrial automation and control systems cybersecurity. Mitschke also leads the organization’s product security incident response team. He holds a bachelor of science degree in electrical engineering from the University of Texas at Austin.
