Cybersecurity without overengineering

Industrial applications place very specific demands on cybersecurity. Availability and deterministic behavior are paramount, and the primary protection goal is usually data integrity—ensuring that commands, setpoints and feedback data cannot be manipulated—rather than strict confidentiality of process data. A realistic, risk-based approach is therefore essential.

Risk-based cybersecurity as a regulatory and practical foundation

Regulations and standards reflect this necessity. Both the EU Cyber Resilience Act (CRA) and the IEC 62443 series for industrial automation and control systems are built on the principle that cybersecurity measures must be proportionate to risk. Risk is defined by the combination of the potential impact of an attack and the likelihood that such an attack can realistically occur under “reasonably foreseeable” conditions.

This approach explicitly avoids exaggerated threat scenarios and blanket requirements that drive up cost and complexity without improving real security. Overengineered cybersecurity can easily backfire: excessive authentication steps, complex certificate handling or performance-reducing encryption may interfere with commissioning, diagnostics, maintenance and 24/7 operation. Experience shows that measures that are impractical in daily operation are often bypassed, ultimately reducing, rather than increasing, security.

EtherCAT and cybersecurity: Integrity, availability and a risk-based approach

Cybersecurity has become a central concern in industrial automation, take intralogistics as just one prime example. Conveyor systems, sorters, automated storage and retrieval systems (AS/RS) and mobile robots form the backbone of modern distribution centers and production supply chains. These systems are highly automated, performance-critical and increasingly connected, yet they are typically not operated in physically protected environments.

Operators, maintenance staff, contractors and service personnel often have direct physical access to equipment, sensors, drives and control cabinets. As a result, cybersecurity is not a theoretical concern but a practical requirement.

IEC 62443 therefore allows different ways of meeting its foundational requirements. Integrity, availability and even confidentiality can be achieved through architectural means, physical measures, and protocol characteristics, not exclusively through cryptography.

EtherCAT in machine automation

EtherCAT is widely used in many industries due to its high performance, precise synchronization, flexible topology and scalability. Long machine lines, large numbers of drives and I/O modules and distributed motion applications benefit from its deterministic behavior and efficient use of bandwidth.

Beyond performance, EtherCAT’s functional principle has important cybersecurity implications. EtherCAT operates directly at the Ethernet layer using its own EtherType and does not rely on the Internet protocol (IP). Process data are processed “on the fly” in hardware by dedicated EtherCAT SubDevice controllers, without the use of switches. This design not only enables short cycle times and precise synchronization, but also fundamentally limits the attack surface.

Integrity by design: Protection against data manipulation

In environments where physical access to machines is common and personnel cannot automatically be considered fully trustworthy, preventing manipulation of control data is often the most important security objective. EtherCAT addresses this requirement inherently.

Only valid EtherCAT frames are accepted and processed by SubDevices. Any non-EtherCAT traffic, regardless of its content, is identified in hardware and discarded immediately. Malware, ransomware or other IP-based attack traffic cannot propagate within an EtherCAT network because such traffic depends on IP and higher-layer protocols that EtherCAT does not use.

Communication follows a strict hierarchical model: all communication is initiated and controlled by the MainDevice, and SubDevices merely insert or extract their data at predefined positions within a frame. SubDevices cannot send frames autonomously, cannot listen to traffic not intended for them and cannot modify data outside their assigned process data area. Even a compromised or faulty SubDevice firmware cannot violate these rules, as they are enforced by hardware.

This means unauthorized manipulation of commands or feedback data at the field level is inherently prevented. Attempting to inject or alter process data through standard cyberattack methods is simply not possible within the EtherCAT network.

Get your subscription to Control Design’s daily newsletter.

Physical access does not automatically mean cyber vulnerability

While physical access increases the theoretical attack surface, it does not automatically translate into effective cyberattacks. Adding an unauthorized SubDevice to an EtherCAT network, for example, does not grant any influence over communication unless the MainDevice explicitly configures and enables it. Unused ports can be disabled in hardware, further reducing that threat.

If an attacker has extensive physical access and malicious intent, there are usually far simpler ways to disrupt a control system than attempting a sophisticated cyberattack at the fieldbus level. From a risk perspective, this reinforces the importance of focusing on realistic threats rather than extreme scenarios.

System architecture still matters

Cybersecurity is not only about protocol features. System architecture plays a decisive role. EtherCAT supports a clear separation between the real-time automation network and higher-level IT or plant networks. In typical industrial architectures, protecting the controller and its northbound interfaces, using established IT security measures such as firewalls, access control and secure remote access, addresses the dominant attack vectors.

By contrast, architectures in which every field device is directly exposed to IP-based networks require each node to implement complex security mechanisms. This significantly increases system complexity, lifecycle cost and operational risk. The industry is increasingly returning to structured, compartmentalized architectures that align well with EtherCAT’s design philosophy.

Meeting today’s and tomorrow’s requirements

From a standards perspective, EtherCAT already meets the requirements typically associated with IEC 62443 Security Level 2, which covers protection against most intentional attacks and is sufficient for the vast majority of industrial applications. Importantly, this is achieved without any changes or extensions to the EtherCAT protocol.

For applications with even higher security requirements, the EtherCAT Technology Group is defining additional measures that remain backward compatible. These enhancements focus on software-based solutions in the MainDevice and optional extensions, avoiding technology breaks and protecting existing investments. EtherCAT’s history of strict backward compatibility ensures that systems installed years ago remain interoperable with new devices and future security concepts.

Pragmatism as a security strategy

Cybersecurity is not about applying every possible countermeasure, but about making informed, risk-based decisions. EtherCAT demonstrates that a technology designed for deterministic, real-time automation can also provide strong inherent protection against cyber threats, particularly against data manipulation.

By combining EtherCAT’s built-in characteristics with sound system architecture and proportionate security measures, machine builders and operators can meet regulatory requirements, maintain high availability and avoid unnecessary complexity. In industries where downtime is costly and reliability is critical, this pragmatic approach is not just efficient; it is essential.