Jan Wendenburg, CEO of ONEKEY: ‘Industry must ensure that the software in connected devices, machines, and systems is up to date to defend against hackers.’
DUESSELDORF, Germany – “The German economy should invest more in industrial cybersecurity in 2025,” said Jan Wendenburg, CEO of Duesseldorf-based cybersecurity company ONEKEY. He refers to a study from last year (“OT+ IoT Cybersecurity Report 2024”), which highlights the industry’s need for improvement in this area. The acronym OT stands for Operational Technology, and IoT refers to the Internet of Things.
“Connected devices, machines and systems used in Industry 4.0, smart factories, smart buildings, critical infrastructure, logistics, energy supply, healthcare, and many other sectors need to be better protected against cyberattacks,” advised Jan Wendenburg. The problem is that many of these connected systems still rely on outdated software that is not sufficiently protected against cyber threats.
Software in Devices, Machinery, and Systems Should Be Regularly Updated
“The software used in machine controls and other components should be continuously updated by manufacturers to close newly discovered security gaps,” said the CEO of ONEKEY. He cites typical examples such as manufacturing robots, CNC machines, conveyors, packaging machines, production equipment, building automation systems, and heating and cooling systems, which, in some cases, rely on outdated software, making them targets for hackers. The study “OT+ IoT Cybersecurity Report,” which surveyed over 300 industrial companies, provides data on this issue.
Jan Wendenburg advises the industry to conduct thorough security checks when procuring connected devices and machines to assess how well the new acquisitions are protected against cyberattacks. According to a survey, only 29 percent of companies carry out such checks. An additional 30 percent admit to relying on superficial tests or spot checks. More than a quarter (26 percent) of respondents could not provide an answer to this question. “The unreported number of outdated software in manufacturing companies appears to be significantly high,” Wendenburg said. Only 28 percent of the surveyed companies have specific compliance requirements for the security of industrial control systems or devices in the Industrial Internet of Things sector.
Firmware Should Be Systematically Tested for Cyber Resilience
Firmware, the software embedded in digital control systems, connected devices, machines, and equipment, should be systematically tested for cyber resilience, advises Jan Wendenburg, CEO of ONEKEY. However, according to a report, less than a third (31 percent) of companies regularly conduct security checks on the software integrated into connected devices to identify and close vulnerabilities, thereby reducing potential entry points for hackers. Nearly half (47 percent) only perform occasional firmware tests or skip them entirely.
A Complete Software Bill of Materials is the Exception
Jan Wendenburg recommends having a complete Software Bill of Materials (SBOM) that provides a comprehensive overview of all used programs. However, the study reveals that only about a quarter (24 percent) of industrial companies have a complete SBOM. The majority of companies (51 percent) either lack an SBOM entirely or have an incomplete one. “Companies should address the gaps and weaknesses in their software assets immediately,” Wendenburg advised. He added, “Even a single outdated program in a machine can give hackers access to the company’s network.”
The CEO of ONEKEY gave an example from manufacturing industry: “Cybercriminals can remotely manipulate the internal configuration of a CNC machine through unprotected firmware, potentially damaging both the machine and the workpieces. The machine could be irreparably damaged, and an entire production batch could be ruined.” Additionally, hackers can exploit firmware vulnerabilities to gain access to the corporate network and launch a ransomware attack, where critical business data is encrypted and only released after a ransom is paid.
Supplier Assessment Should Be Strengthened
According to the ONEKEY report, the lack of visibility into software components in machinery and equipment can be attributed to the fact that only a few industrial companies conduct thorough checks of the embedded software from their device suppliers and third-party vendors. Just over a third (34 percent) use questionnaires from industry associations to assess the cybersecurity of their suppliers. 31 percent rely on standardized assessments and certifications. More than a tenth (11 percent) report having no established procedure to ensure that the equipment, machines, and systems purchased for operations are adequately protected against cyberattacks. “Every industrial company should gain a clear insight into the cyber risks with a complete Software Bill of Materials – from production and logistics to building automation.”
Responsibility Lies with Manufacturers and Users
Jan Wendenburg emphasizes that the responsibility for outdated machine software lies with both manufacturers and users. He points to the EU’s Cyber Resilience Act (CRA), which will prohibit the sale of connected devices with known vulnerabilities in the European Union starting December 11, 2027. Additionally, the CRA requires manufacturers to monitor firmware even after delivery and provide updated versions promptly when new security vulnerabilities are discovered.
Current practices fall far behind the required standards, as shown by the “OT + IoT Cybersecurity Report” by ONEKEY. Currently, only 28 percent of companies meet the regulation that will be mandatory starting in 2027, providing regular software updates for connected devices and machines delivered to customers. Thirty percent apply updates only sporadically, while 17 percent do not apply them at all.
“Manufacturers should align their software development with the upcoming regulatory requirements,” advised Jan Wendenburg. He added, “It is also recommended that the industry requires its suppliers to guarantee and prove the cyber resilience of their products.”
Visit ONEKEY at Embedded World 2025
Learn more about ONEKEY’s solutions for OT and IoT security at Embedded World 2025. ONEKEY will be exhibiting at booth 5-376 in Hall 5. For more information, visit the website: https://www.onekey.com…dworld2025
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.
Contact us: ONEKEY GmbH,
Kaiserswerther Str. 45, 40477 Duesseldorf, Germany,
Sara Fortmann, e-mail: sara.fortmann@onekey.com,
website: https://onekey.com
