A Framework for Cybersecurity in Industrial Communications

 

The Urgent Need to Standardize Cybersecurity in Industrial Communications

Industrial companies are increasingly vulnerable to cybersecurity threats due to the absence of standardized frameworks for penetration testing and vulnerability assessment. The cybersecurity landscape is largely dominated by large corporations and government entities, often leaving industrial companies—particularly small and medium enterprises (SMEs)—without adequate support or tailored solutions.

While cybersecurity for traditional IT environments has matured, industrial cybersecurity remains notably underserved. Unique challenges—such as proprietary communication protocols, real-time constraints, and safety-critical dependencies—complicate the implementation of robust security measures in operational technology (OT) environments.

As a result, many industrial companies face elevated risks with limited resources. There is no unified framework to ensure validation, traceability, or continuous improvement. In this environment, successful cyberattacks can lead to costly downtimes, safety incidents, and long-term operational disruption.

To illustrate the scale of this issue:

  • The EU is home to approximately 2.36 million manufacturing companies, representing 5.27% of all enterprises.

  • Annual financial losses from cyber incidents in industrial settings amount to billions of euros.

  • Misuse of industrial systems (e.g., lasers, robotic arms, load dumps) introduces direct safety risks to personnel and infrastructure.

At the same time, globalization has opened new horizons—and challenges—for EU manufacturers. In 2023, the EU’s total trade in goods surpassed €5.073 trillion, reflecting a deeply interconnected industrial ecosystem. However, this interdependence also increases exposure to quality and cybersecurity risks.

Supply chains now span multiple countries and rely heavily on digital infrastructure. Vulnerabilities in one link of the chain can have cascading effects—disrupting production, compromising data, and incurring substantial financial and reputational losses. Cyberattacks exploiting these channels have become more sophisticated and frequent.

This reality underscores the need for companies to adopt comprehensive, internationally aligned strategies. Standards such as ISO/IEC 27036—which addresses information security for supplier relationships—are increasingly vital in managing this complexity.

In today’s industrial landscape, safeguarding digital infrastructure isn’t just about protecting assets. It’s about securing trust, continuity, and global competitiveness.

A Structured Approach to Industrial Cybersecurity

To close this gap, we are developing a service-oriented approach focused on empowering industrial companies—particularly SMEs—with the tools, guidance, and standards needed to proactively address cybersecurity risks.

Key Objectives:

1. Develop standardized penetration testing methodologies.
Our aim is to eliminate the “blank page” effect many companies face when initiating cybersecurity assessments. Through predefined, adaptable testing methods, we offer a clear and structured starting point, making vulnerability detection more effective and repeatable.

2. Provide accessible tools for vulnerability and requirement validation.
Misconceptions such as “this won’t happen in our sector” are common. By offering practical, easy-to-use tools with relevant industrial use cases, we help stakeholders challenge assumptions and understand the evolving threat landscape in their domain.

3. Support IEC 62443 compliance and its derivatives.
We align our framework with internationally accepted standards like IEC 62443, offering a strong baseline that supports auditability, system lifecycle security, and regulatory alignment.

4. Enable automated metrics and requirement verification.
Robust cybersecurity requires measurable indicators. Our system enables automated validation of security requirements and the generation of traceable, actionable metrics for continuous improvement.

5. Configure a scalable, model-based service framework.
The framework is designed to adapt to various levels of cybersecurity maturity. From basic manual assessments to integrated, automated pipelines, the service grows alongside the organization.

Supported Protocols and Technologies:

Our framework is built to support a comprehensive set of industrial communication technologies:

  • Ethernet-based protocols: Ethernet, Ethernet/IP, EtherCAT, Profinet, Modbus TCP

  • CAN-based protocols: CAN, CAN FD, CAN XL, CanOpen, J1939

  • Legacy/Fieldbus protocols: RS-485, MODBUS, Profibus, IO-Link

  • Embedded platforms: Embedded Linux distributions

By focusing on these critical protocols, we ensure the framework covers the most commonly used and vulnerable communication channels in industrial environments.

While our technical approach is designed to empower industrial companies with actionable tools and standardized methodologies, it’s equally important that these efforts are carried out with the utmost integrity and responsibility. Cybersecurity initiatives—especially those involving penetration testing and vulnerability analysis—must be guided not only by technical rigor but also by strong ethical foundations. As we provide companies with the means to strengthen their defenses, we are also fully committed to ensuring that every action taken respects legal boundaries, stakeholder trust, and the critical nature of the systems involved. This is where our ethical framework plays a central role.

Ethical Framework: Building Trust Through Responsible Practice

At the heart of our initiative lies a commitment to ethical conduct. Every cybersecurity activity—especially those that involve sensitive industrial infrastructure—must be executed with full respect for stakeholders, legal norms, and operational safety.

Our Ethical Principles:

1. Prior Consent and Authorization
All testing and assessments will be conducted under formal agreements with system owners or authorized stakeholders. No unauthorized activities will occur. Clear contracts and mission orders will define the scope and responsibilities for each engagement.

2. Responsible Disclosure
We follow international best practices for vulnerability disclosure, including ISO/IEC 29147 and ISO/IEC 30111. Vulnerabilities will be reported privately and responsibly to asset owners—never exposed publicly without prior consent.

3. Minimization of Harm
Testing will be planned to minimize any potential impact on live operations. Whenever possible, assessments will be conducted in controlled environments, such as sandboxes or testbeds, or scheduled during designated maintenance windows.

4. Transparency and Stakeholder Communication
We ensure stakeholders are continuously informed of the testing scope, methods, potential risks, and outcomes. This transparency builds trust and aligns cybersecurity actions with business priorities.

5. Data Protection and Privacy
Any sensitive or personal data encountered during testing will be handled in full compliance with GDPR and relevant data protection laws. Data will be minimized, anonymized where possible, and securely deleted after the engagement.

Confidentiality Measures

Protecting confidential information is foundational to maintaining trust and accountability in cybersecurity work. We have implemented strict measures to protect stakeholder data at every step of the process.

Confidentiality Commitments:

  • Non-Disclosure Agreements (NDAs):
    All project participants—including subcontractors and employees—will sign NDAs to prevent unauthorized sharing or misuse of confidential information.

  • Information Handling:
    All documents and data (e.g., vulnerability reports, system architectures) will be classified, access-controlled, and handled according to rigorous internal security policies.

  • Secure Communication:
    Sensitive data will be exchanged using encrypted and authenticated channels—such as secure email platforms and VPN-protected file transfers.

  • Data Storage and Disposal:
    Project data will be encrypted during storage and permanently deleted upon project closure, following standards such as NIST SP 800-88.

  • Audit Readiness:
    We maintain documentation of all ethical, legal, and confidentiality-related activities. These records are available for audit by CYSSDE, ECCC, or other designated bodies upon request.

Alignment with EU Principles

Our project is fully aligned with European values and legal frameworks, including:

  • Horizon Europe Ethics Guidelines

  • The Charter of Fundamental Rights of the European Union

  • The NIS2 Directive

  • The Cyber Resilience Act

 

 

By embedding ethics and confidentiality considerations from the outset, we aim to ensure that all project activities foster trust, respect stakeholders’ rights, and uphold the highest standards of professionalism and responsibility