OEMs Can’t Afford to Not Embrace Cybersecurity

July 10, 2026
By Robb Skruck, Principal OEM & Logistics, Rockwell Automation, & Rick Kaun. Global Director, Cybersecurity Services Sales, Rockwell Automation
Cybersecurity for OEMs has usually been someone else’s responsibility. The end users’ IT team handled the networks while the OT organization managed security on their plant floors. And the machines were engineered for uptime, precision and safety. Thanks to the evolving threat landscape, that era is over.
Regulations like the EU Cyber Resilience Act (CRA) and NIS2 are now placing direct obligations on equipment manufacturers. In parallel, the New Machinery Regulation is reinforcing requirements around safety, including the need to address cybersecurity risks that could impact the safe operation of machines. For many OEMs, it’s uncharted territory. The requirements go beyond what their teams have previously managed—and it applies to products and processes that weren’t built with cybersecurity in mind.
It’s easy to do the bare minimum of checking the compliance box and moving on. But that temptation comes at a price. The OEMs who understand what’s at stake, lean in and embrace an OT cybersecurity program will come out ahead. This blog will help OEMs on the path to embracing OT cybersecurity as a competitive advantage.
Reframing OT Cybersecurity for OEMs
Consider the analogy of safety systems on a factory floor. No one argues that safety equipment is only protection against potential bad outcomes. Safety systems are what allow operations to run faster, more reliably and for longer. At the end of the day, a well-designed safety program enables facilities to go further.
OT cybersecurity, when properly implemented, works the same way. A secure environment is a more resilient one. It supports better uptime, cleaner data, faster recovery and more confident modernization.
OEMs that build cybersecurity into how they operate and what they ship can reduce risk while building a more capable and trustworthy product. Reframing OT cybersecurity as an opportunity produces programs and capabilities that compound over time. And in time, your customers will notice and value it. Equipment with robust, turnkey OT security will have a distinct advantage in the market.
The Option for OEMs and the Resulting Impacts
In the Power Industry, energy companies went through a similar regulatory requirement called NERC CIP. When NERC CIP emerged, organizations split into two types of camps: Those that treated it as a task and those that embedded it into their program.
Option 1: Treat It as a Task
Organizations in this arena focused on which assets they needed to secure and which ones they could ignore. They found workarounds like data diodes to help minimize the effort. This approach seems like it can work—until it doesn’t.
An energy utility company that used this approach ended up racking up 127 security violations and a $10 million fine. Regulators cited inadequate training, process deficiencies and lack of internal controls as the catalyst. This resulted in them having to rebuild their program from scratch.
Option 2: Embed It into the Program
Another utility chose to embed it into their program. They started with a few thousand assets and no clear picture of what they had. They also had a high-risk score and no credible way to talk to their board about it.
By committing to a programmatic approach, they grew their asset visibility, drove their risk score down and reached a point where they could proactively plan capital budgets with board-level confidence.
What Secure by Design Looks Like for OEMs
It helps to organize the requirements for OT cybersecurity across three distinct phases. These phases include internal security, product security and lifecycle management.
These domains are increasingly shaped by the convergence of key European regulations, including NIS2, the New Machinery Regulation and the Cyber Resilience Act, all of which reinforce the need for a holistic, end-to-end cybersecurity approach across industrial environments. CRA noncompliance with essential cybersecurity requirements can result in fines of up to €15 million or 2.5% of global annual turnover. And NIS2 can carry penalties of up to €10 million or 2% of global annual turnover. OEMs that take the time to build out these phases can start to differentiate themselves competitively.
Phase 1: Internal Security
The first thing OEMs need to do is demonstrate that they’re a secure organization. This means having defensible policies, tested processes and the ability to show customers and regulators that the company operates at a credible standard.
It also includes things like quality control procedures, four-eyes review processes for software and firmware, penetration testing and business continuity planning. By being able to show these initiatives to customers, you’re building the foundation that makes everything else credible.
Phase 2: Product Security
This next phase involves shipping secure-by-design machines with a verifiable bill of materials. This includes known firmware versions and a documented process for identifying and communicating vulnerabilities.
This is the front that most closely mirrors what the regulatory standards explicitly require. It demands that security be considered at the earliest stages of product development. OEMs that have navigated safety compliance will recognize this journey. The muscle memory is there. OT cybersecurity applies this same level of discipline to a new domain.
Phase 3: Lifecycle Management
The last phase is the hardest one. It involves the ability to track, maintain and support the installed base over time. As machines age, environments change and vulnerabilities emerge, the OEMs responsibility doesn’t end at the point of shipment.
Understanding what’s out in the field, managing firmware updates and providing customers with meaningful visibility into the security posture of their equipment is an ongoing obligation.
It’s also the front with the greatest revenue potential. Managed security services for the installed base represent a meaningful and differentiated offering; particularly for end users who lack the internal expertise to manage OT cybersecurity themselves.
The organizations that will lead this space aren’t those who treat these three fronts as separate compliance projects. They’re the ones who build a coherent program that addresses all three—and who can demonstrate what they’ve done and why.
How OEMs Can Start Embracing OT Cybersecurity
OEMs can find cybersecurity daunting because they don’t know where to start. Here are a few steps to help get on the right path.
Step 1: Start with Mindset
Leadership has to decide whether cybersecurity is a compliance exercise or a competitive opportunity. That decision determines everything else.
Step 2: Get Clear on the Destination
There’s a difference between what regulation requires today and what a mature cyber program looks like over time. It’s important to know both.
The near-term compliance requirements are the tree and the full program is the forest. Confusing them leads to underbuilding or building the wrong things.
Step 3: Partner Strategically
The right partners bring frameworks, proven tooling and institutional experience that can help you build a manageable OT cybersecurity program.
But it’s important to start that journey now. As the regulatory environment matures and more OEMs build programs, the gap between advanced and novice OEMs will become visible to customers. And it will matter to purchasing decisions in ways it doesn’t yet today.







