OEMs Can’t Afford to Not Embrace Cybersecurity

PBUS 46 Rockwell Logo 1200 1024x536

July 10, 2026

By Robb Skruck, Principal OEM & Logistics, Rockwell Automation, & Rick Kaun. Global Director, Cybersecurity Services Sales, Rockwell Automation

Cybersecurity for OEMs has usually been someone else’s responsibility. The end users’ IT team handled the networks while the OT organization managed security on their plant floors. And the machines were engineered for uptime, precision and safety. Thanks to the evolving threat landscape, that era is over.

Regulations like the EU Cyber Resilience Act (CRA) and NIS2 are now placing direct obligations on equipment manufacturers. In parallel, the New Machinery Regulation is reinforcing requirements around safety, including the need to address cybersecurity risks that could impact the safe operation of machines. For many OEMs, it’s uncharted territory. The requirements go beyond what their teams have previously managed—and it applies to products and processes that weren’t built with cybersecurity in mind.

It’s easy to do the bare minimum of checking the compliance box and moving on. But that temptation comes at a price. The OEMs who understand what’s at stake, lean in and embrace an OT cybersecurity program will come out ahead. This blog will help OEMs on the path to embracing OT cybersecurity as a competitive advantage.

Reframing OT Cybersecurity for OEMs

Consider the analogy of safety systems on a factory floor. No one argues that safety equipment is only protection against potential bad outcomes. Safety systems are what allow operations to run faster, more reliably and for longer. At the end of the day, a well-designed safety program enables facilities to go further.

OT cybersecurity, when properly implemented, works the same way. A secure environment is a more resilient one. It supports better uptime, cleaner data, faster recovery and more confident modernization.

OEMs that build cybersecurity into how they operate and what they ship can reduce risk while building a more capable and trustworthy product. Reframing OT cybersecurity as an opportunity produces programs and capabilities that compound over time. And in time, your customers will notice and value it. Equipment with robust, turnkey OT security will have a distinct advantage in the market.

The Option for OEMs and the Resulting Impacts

In the Power Industry, energy companies went through a similar regulatory requirement called NERC CIP. When NERC CIP emerged, organizations split into two types of camps: Those that treated it as a task and those that embedded it into their program.

Option 1: Treat It as a Task

Organizations in this arena focused on which assets they needed to secure and which ones they could ignore. They found workarounds like data diodes to help minimize the effort. This approach seems like it can work—until it doesn’t.

An energy utility company that used this approach ended up racking up 127 security violations and a $10 million fine. Regulators cited inadequate training, process deficiencies and lack of internal controls as the catalyst. This resulted in them having to rebuild their program from scratch.

Option 2: Embed It into the Program

Another utility chose to embed it into their program. They started with a few thousand assets and no clear picture of what they had. They also had a high-risk score and no credible way to talk to their board about it.

By committing to a programmatic approach, they grew their asset visibility, drove their risk score down and reached a point where they could proactively plan capital budgets with board-level confidence.

What Secure by Design Looks Like for OEMs

It helps to organize the requirements for OT cybersecurity across three distinct phases. These phases include internal security, product security and lifecycle management.

These domains are increasingly shaped by the convergence of key European regulations, including NIS2, the New Machinery Regulation and the Cyber Resilience Act, all of which reinforce the need for a holistic, end-to-end cybersecurity approach across industrial environments. CRA noncompliance with essential cybersecurity requirements can result in fines of up to €15 million or 2.5% of global annual turnover. And NIS2 can carry penalties of up to €10 million or 2% of global annual turnover. OEMs that take the time to build out these phases can start to differentiate themselves competitively.

Phase 1: Internal Security

The first thing OEMs need to do is demonstrate that they’re a secure organization. This means having defensible policies, tested processes and the ability to show customers and regulators that the company operates at a credible standard.

It also includes things like quality control procedures, four-eyes review processes for software and firmware, penetration testing and business continuity planning. By being able to show these initiatives to customers, you’re building the foundation that makes everything else credible.

Phase 2: Product Security

This next phase involves shipping secure-by-design machines with a verifiable bill of materials. This includes known firmware versions and a documented process for identifying and communicating vulnerabilities.

This is the front that most closely mirrors what the regulatory standards explicitly require. It demands that security be considered at the earliest stages of product development. OEMs that have navigated safety compliance will recognize this journey. The muscle memory is there. OT cybersecurity applies this same level of discipline to a new domain.

Phase 3: Lifecycle Management

The last phase is the hardest one. It involves the ability to track, maintain and support the installed base over time. As machines age, environments change and vulnerabilities emerge, the OEMs responsibility doesn’t end at the point of shipment.

Understanding what’s out in the field, managing firmware updates and providing customers with meaningful visibility into the security posture of their equipment is an ongoing obligation.

It’s also the front with the greatest revenue potential. Managed security services for the installed base represent a meaningful and differentiated offering; particularly for end users who lack the internal expertise to manage OT cybersecurity themselves.

The organizations that will lead this space aren’t those who treat these three fronts as separate compliance projects. They’re the ones who build a coherent program that addresses all three—and who can demonstrate what they’ve done and why.

How OEMs Can Start Embracing OT Cybersecurity

OEMs can find cybersecurity daunting because they don’t know where to start. Here are a few steps to help get on the right path.

Step 1: Start with Mindset

Leadership has to decide whether cybersecurity is a compliance exercise or a competitive opportunity. That decision determines everything else.

Step 2: Get Clear on the Destination

There’s a difference between what regulation requires today and what a mature cyber program looks like over time. It’s important to know both.

The near-term compliance requirements are the tree and the full program is the forest. Confusing them leads to underbuilding or building the wrong things.

Step 3: Partner Strategically

The right partners bring frameworks, proven tooling and institutional experience that can help you build a manageable OT cybersecurity program.

But it’s important to start that journey now. As the regulatory environment matures and more OEMs build programs, the gap between advanced and novice OEMs will become visible to customers. And it will matter to purchasing decisions in ways it doesn’t yet today.

Important_Links_Bar.jpg

https://www.rockwellautomation.com/en-us/company/news/blogs/oems-cant-afford-to-not-embrace-cybersecurity.html

Related Articles

Network Infrastructure Featured Product Spotlight

PBUS 14 Panduit logo 400

This webinar presented by Beth Lessard and Keith Cordero will be highlighting three Panduit solutions that will optimize network equipment and cabling to ensure that your spaces are efficiently and properly managed to support ever-evolving business needs of today and beyond. Products that will be featured include PanZone TrueEdge Wall Mount Enclsoure, Cable Managers, and Adjustable Depth 4-Post Rack.

REGISTER HERE


Editor’s Pick: Featured Product News

Siemens: SIMOVAC Non-Arc-Resistant and SIMOVAC-AR Arc-Resistant Motor Controllers

The Siemens SIMOVAC medium-voltage non-arc-resistant and SIMOVAC-AR arc-resistant controllers have a modular design incorporating up to two 12SVC400 (400 A) controllers, housed in a freestanding sheet steel enclosure. Each controller is UL 347 class E2, equipped with three current-limiting fuses, a non-load-break isolating switch, and a fixed-mounted vacuum contactor (plug-in type optional for 12SVC400). The enclosure is designed for front access, allowing the equipment to be located with the rear of the equipment close to a non-combustible wall.

Read More


Sponsored Content
Electrify Your Enterprise

Power is vital to production, and well-designed control cabinets are key. Allied Electronics & Automation offers a comprehensive collection of control cabinet solutions including PLCs, HMIs, contactors, miniature circuit breakers, terminal block connectors, DIN-rail power supplies, pushbutton switches, motor starters, overloads, power relays, industrial Ethernet switches and AC drives engineered to keep your operations running safely, reliably and efficiently.

Learn more HERE.


Products for Panel Builders

  • Mouser: Molex’s VersaPower Connectors Maintain Stable Performance in High-Current Applications

    Mouser: Molex’s VersaPower Connectors Maintain Stable Performance in High-Current Applications

    Mouser Electronics, Inc. is now stocking the VersaPower connectors from Molex. Featuring a fine 0.30 mm pitch and a compact mated height of just 0.6 0mm, VersaPower is a next-generation embedded connector system for modern electronic solutions. The VersaPower connectors help maintain stable performance in high-current applications, including automotive systems, appliances and white goods, industrial automation, medical technology, mobile devices, and networking. Read More…

  • Toshiba: RemotEye ESS2 Delivers Smarter Monitoring for SCiB Energy Storage Systems

    Toshiba: RemotEye ESS2 Delivers Smarter Monitoring for SCiB Energy Storage Systems

    Toshiba International Corporation (TIC) announces the release of Toshiba RemotEye ESS2, the newest evolution of its intelligent IIoT‑based monitoring and management platform for Toshiba SCiB Energy Storage Systems (ESS). The RemotEye ESS2 provides advanced analytics, enhanced cybersecurity features compared to prior generation, and expanded connectivity to support modern data centers, industrial facilities, and enterprise IT environments.… Read More…