Mirko Ross and Dirk Leitsch on

CRA in mechanical engineering: Rethinking how we build, run, and secure machines

In a conversation with Dirk Leitsch, asvin CEO Mirko Ross discusses the impact of the Cyber Resilience Act (CRA) on the mechanical engineering industry. The key takeaways go far beyond traditional compliance issues. The discussion centers on how machines will need to be built, operated, and secured throughout their entire lifecycle in the future.

Here’s an overview of the key takeaways from the conversation

The CRA Is Already a Reality – Not a Future Prospect

The Cyber Resilience Act is already in effect. What matters is not the starting point of the regulation, but its phased implementation over several deadlines.

For manufacturers, this means that the requirements do not simply take effect “sometime in 2027” but are already being phased in gradually.

Cybersecurity becomes part of product conformity

Until now, product safety in mechanical engineering has primarily been a matter of functional safety.

The CRA significantly broadens this perspective:

  • Cybersecurity is becoming an integral part of product conformity.
  • A machine must not only functionally be safe – but also protected against digital attacks.
  • Especially in networked OT production environments, the lines between these two worlds become blurred. A compromised control system is an IT/OT issue and poses a direct risk to physical operations, which – for example – could endanger the health of employees in the event of an accident.

All products with digital elements are affected

The CRA has a broad scope: The decisive factor is the presence of digital components in the product.

These include, in particular, industrial control systems and modern machine architectures in which software, sensor technology, and networking technology are firmly integrated. The goal of the CRA is to establish cybersecurity as an integral part of product design and the product lifecycle.

Risk assessment is being expanded to include cybersecurity and software vulnerabilities

In the future, manufacturers must systematically assess cyber risks.

  • Essentially, this involves three questions:
  • What software vulnerabilities exist in the product?
  • What would be the consequences if an attacker exploited them ?
  • How likely is an attack scenario?

This approach is based on traditional safety analyses, and is expanded to include digital attack scenarios through the CRA.

Vulnerability management becomes an ongoing process

A central focus of the CRA is the continuous management of software vulnerabilities.

In standard practice in the mechanical and plant engineering industries, products are developed, delivered, integrated into the production process, and then accepted by the customer. After acceptance, the motto often applies “Never Change a Running System”.

As a result, software updates are frequently installed on machines and systems only reluctantly – if at all.

With the CRA manufacturers must continuously monitor whether new vulnerabilities arise, assess them, assess them and provide appropriate measures, such as software updates. Of particular relevance here are vulnerabilities that can be actively exploited and thus have immediate security-critical implications.

Updates Are Becoming a Mandatory Requirement in Product Design

A major structural shift in the mechanical and plant engineering industry concerns the issue of software updates.
The adage “Never change a running system” no longer applies in this context.

In the future, products must be designed in such a way that security updates are possible without compromising the reliable operation of the system.

In practice, this involves implementing software update processes based on secure architectures. To ensure that, this includes secure communication protocols, hardened management of software packages, and additional capabilities for software security and interfaces in product development.

The supply chain becomes part of the security responsibility

Modern machines consist of many individual digital components – from sensors and actuators to controllers, firewalls, and industrial routers.

This complexity shifts the responsibility:

Under the CRA is the machine manufacturer is responsible for the cybersecurity of the entire product – regardless of where individual components come from.
As a result, supply chain management becomes a central component of the security strategy.

The real challenge is organizational

Technically, many of the concepts are not new. The challenge lies elsewhere.

Machine builders must develop new capabilities:

  • Software vulnerability management

  • Software lifecycle management

  • Patch and update processes

  • Continuous Risk Assessment

As a result, due to the time constraints imposed by the Cyber Resilience Act, these changes must be implemented faster than organizations are prepared for.

At the same time, the traditional OT, IT, and engineering worlds of machinery and plant engineering are converging more closely, often be implemented faster than organizations are prepared for in terms of structure, personnel, processes, and tools.

More context in the video

The points described here are taken from a conversation between Dirk Leitsch and asvin CEO Mirko Ross. In the interview, the connections between the Machinery Directive, the Cyber Resilience Act, and industrial practice are explained in detail.

Conclusion: The CRA is changing rules, processes, and products

The Cyber Resilience Act is changing the way machines are developed, networked, and operated.

Through the CRA, cybersecurity is becoming an integral part of the entire product lifecycle and thus has an impact from development through operation.
This creates additional work for manufacturers. At the same time, however, it also provides a clear strategic advantage:

Security becomes a differentiating quality feature in the market.
Since the CRA is part of the CE framework, in the future only products that comply with the CRA will be allowed to be placed on the European market.