Connected but Vulnerable: Why IIoT Requires Strong Cybersecurity
Author: Thorsten Rienth
The Industrial Internet of Things (IIoT) is transforming production processes across the globe. This is driving demand for reliable cybersecurity – an area in which DEKRA provides comprehensive support to companies.
In the past, machines stoically turned, milled, and drilled away – today, they ‘chat’ incessantly. Right down the line, across to the neighboring hall, or even to another location in the manufacturing network. This is all facilitated by a networked mesh of devices that utilize the Industrial Internet of Things (IIoT) and the Internet of Things (IoT). Sensors continuously report statuses, temperatures, vibrations, or utilization rates to the company network or directly to the cloud. The networked lines make production faster, more transparent, and controllable in real time – but they also make it more vulnerable. “Every new connection, every additional sensor also creates a potential attack surface,” warns Antonio Vizcaíno, responsible for technical sales at the Cybersecurity Hub from the DEKRA Digital & Product Solutions service division.
New cyber risks in networked production
Attacks on companies have increased significantly in recent years. IIoT and IoT components are among the most frequently used gateways. According to the recent “Economic Protection Study 2025” presented by the German industry association Bitkom e.V., 87 percent of German companies were affected by data theft, espionage, or sabotage in the past twelve months. In the previous year, the figure was 81 percent. The damage caused amounts to 289.2 billion euros, an increase of around eight percent. But it is no longer just about stolen data: it can also be dangerous to life and limb, for example when hackers manipulate steam boilers, pressure equipment, or tank systems. Those who uphold protection against cybersecurity threats are therefore doing so for their own protection.
But that's not all. “Politicians around the globe are also responding to the new threats,” explains Vizcaíno. “In the European Union, for example, they are taking action with the Cyber Resilience Act, the RED and NIS-2 regulations, and IEC 62443 standards.” Affected companies must ensure compliance, as it is called in technical jargon. “The exact requirements often depend on company size, industry, level of criticality for public safety, or the exact application location of products, systems, and sometimes even services. Cybersecurity is no longer just an add-on, but a mandatory requirement.”
Navigating the regulatory landscape in IIoT
Imagine a universe that is not made of stars and galaxies, but of cybersecurity.
The sun at the center says “IoT device.” Orbiting closely around it are more than a dozen planets with names like Cyber Resilience Act, US Cyber Trust Mark, UK PSTI. Together, they form a regulatory belt, defining the framework for connected devices. Further out, a second orbit hosts a wider constellation with planets labeled EN 18031, ETSI EN 303 645, IoXt Alliance, SESIP, and CTIA IoT. These represent a range of individual certifications organizations may need to demonstrate compliance or market trust. Beyond these structured paths float a few planets without fixed orbits, symbolizing directives such as NIS-2, derived from the Cyber Resilience Act and currently being translated into national law across EU member states. As the IIoT ecosystem grows more complex, so too does its regulatory galaxy.
The future belongs to networked industrial plants. But without excellent cybersecurity measures, these plants can quickly become security vulnerabilities. Cybersecurity is therefore an important pillar of overall safety and thus a central component of the DEKRA conformity assessment process. Find out more here:
Securing the Core of Industrial Cybersecurity.
IIoT cybersecurity requires expert knowledge
The message conveyed by the graphic is clear: Given the abundance of requirements, regulations and standards, it is nearly impossible to address them all without the help of qualified specialists. Those who, like DEKRA, know the ins and outs of the system can maintain an overview. “We see ourselves as a partner that scrutinizes ‘IIoT’ components down to the last port: denial-of-service scenarios, firmware hardening, update processes, communication protocols, data paths – every potential loophole is tested, simulated, and provoked,” explains Vizcaíno.
Testing, certification, and security concepts: Cybersecurity evaluation
One such partner is Telit Cinterion, a leading global provider of end-to-end IoT solutions, which manufactures IoT modules for wireless and communication solutions. In order to commercialize the ME910G1, ME310G1, LTE-E, and NB-IoT product families to Europe, compliance with the RED Delegated Act and the ETSI EN 303 645 standard must be demonstrated.
“At DEKRA, we subjected the modules to a complete security evaluation,” explains Vizcaíno. The testing laboratory takes a systematic approach here. “We start at the lower level, testing the individual components for IT security. Then we check how the components behave in their future operating environment – for example, in robots, control systems, or industrial plants,” explains Vizcaíno. This approach is typical for tests of this kind: step by step from the details to the overall system, so that no loopholes are overlooked.
Future outlook: the IIoT and IoT cybersecurity race
It is already clear today that ‘chatting’ robots will not become any quieter, but rather louder. The current 5G mobile network will be followed by 6G in a few years – with high bandwidths enabling millions of machines, robots and sensors to communicate virtually without delay. New IIoT/IoT applications will be added, for example in telemedicine, smart cities, and advanced agriculture.
The cybersecurity race will therefore continue for the foreseeable future: between attackers who exploit vulnerabilities and cybersecurity specialists who identify any potential threats as early as possible.