![[Translate to Englisch:] abstrakte Darstellung des Cyber Resilience Act](/fileadmin/_processed_/9/6/csm_cra_4b172640f1.jpg)
Cyber security is no longer a topic that concerns only IT departments or specialists. Since the attack on the Nord Stream pipeline in September 2022 at the latest, it has become clear just how vulnerable critical infrastructures can be.
Incidents in recent months have also shown how closely digital systems, industrial processes and our everyday lives are now interconnected. The outage affecting an entire district in Berlin-Lichterfelde in January 2026 and the cyber attack on Deutsche Bahn’s booking system in February 2026 are just two prominent examples.
Behind this lies a development that many companies are already experiencing on a daily basis: cyber attacks are no longer exceptional events. They have become part of everyday business operations – with varying levels of intensity, different objectives and very different consequences.
New Requirements for Greater Security
At European level, this development is being addressed, among other things, through the Cyber Resilience Act and the Directive on measures for a high common level of cybersecurity across the Union, known as NIS 2.
Both sets of regulations pursue a clear objective: products, systems and processes must become more resilient to cyber risks. This applies not only to traditional IT systems, but explicitly also to industrial environments.
For companies in mechanical and plant engineering, this means that cyber security is increasingly becoming an integral part of technical concepts, development processes and project coordination.
What This Means for OCTUM
OCTUM operates as a system integrator for industrial image processing in mechanical and plant engineering. We develop customer-specific inspection systems for quality assurance and, in some cases, our solutions also perform control tasks within production lines.
Since the announcement that the IEC 62443 series of standards for IT security in industrial automation and control systems is to be included as part of the Machinery Regulation, we at OCTUM have been addressing the topic of cyber security intensively and systematically since July 2024. The Machinery Regulation will enter into force on 20 January 2027.
As a system integrator and manufacturer of our own software products, we regularly supply machine builders whose systems are used in areas of critical infrastructure. These include, for example, applications in the filling of active pharmaceutical ingredients and vaccines or in the production of medical consumables.
A Good Starting Point – but No Reason to Sit Back
Our initial analysis of the new requirements has shown that, thanks to our strong focus on the pharmaceutical and medical technology sectors, many security-relevant foundations are already in place.
These include, among other things, complete change logging and fine-grained rights management with central user administration. Company-specific password rules can also be mapped there.
In short: anyone who has been active in regulated industries for many years is not starting from scratch when it comes to cyber security. But that does not mean that everything has already been done.
Transparency Across Software and Hardware Versions
The analysis also revealed areas with potential for improvement. One important aspect is the consistent traceability of the software and hardware versions of delivered systems.
This transparency is crucial when security vulnerabilities need to be assessed, updates planned or systems supported over the long term.
OCTUM will close this gap by extending its own ERP software – at its own expense. The aim is to offer our customers an even higher level of transparency and security in this area as well.
Cyber Security Belongs in Project Coordination from the Start
In our view, one point is particularly important: cyber security must not be discussed only at the end of a project.
Ideally, the topic should already be taken into account during the quotation phase. This is the only way to integrate our systems effectively into a holistic security concept.
This is crucial for two reasons. On the one hand, protective measures must be technically meaningful and effective. On the other hand, unnecessary security barriers within a production line should be avoided.
After all, security must not mean that industrial processes become unnecessarily complex, expensive or difficult to operate. Practical cyber security must protect – but it must also work.
Keeping Competitiveness in View
This point is particularly important for Germany as an industrial location. Higher security requirements are necessary and sensible. At the same time, they must remain economically feasible.
When cyber security is planned early, systematically and collaboratively, technical requirements, regulatory specifications and economic framework conditions can be better aligned.
This is not just a technical task. It is also a contribution to keeping industrial value creation competitive.
Exchange Instead of Isolated Solutions
Another topic is becoming increasingly important: how to deal with reported security vulnerabilities.
Many companies face the challenge of analysing numerous notifications, assessing them from a technical perspective and evaluating them appropriately in relation to their own business field.
This cannot be solved sustainably by each company acting alone. To ensure an appropriate level of security in the long term, dialogue, joint discussion and coordinated approaches are needed.
In our view, this is precisely the key to practical and cost-efficient solutions.
Shared Responsibility for Industrial Security
OCTUM is therefore involved in the VDMA working groups “Information Security” and “Security Solutions for Industry”.
We expressly welcome the participation of other companies and look forward to continued dialogue.
Industrial cyber security is not a task that one company can solve alone. It is created where manufacturers, integrators, machine builders and operators work together at an early stage.
Or, to put it more simply: networked systems also need networked thinking.