Embedded Modules/Cybersecurity: From A Communication Building Block to Product Responsibility

Industrial communication is being reassessed today because it no longer only organises data transmission, but increasingly also carries security, updateability, and regulatory robustness.

Communication modules in industrial automation are no longer measured only by how quickly they can be integrated. Increasingly, they also determine how secure, updateable, and regulatorily robust a product remains over many years. With the European Cyber Resilience Act (CRA), the view of connected products is shifting noticeably:

• The regulation has been in force since December 10, 2024.
• The reporting obligations for actively exploited vulnerabilities and serious security incidents apply from September 11, 2026.
• The main obligations apply from December 11, 2027.

This regulatory impetus did not come out of nowhere. With the CRA, the European Union (EU) is responding to security deficits in products with digital elements and to the fact that necessary security updates are often not provided in time. For device manufacturers, this has immediate consequences: The question of industrial communication is no longer only a question of connectivity. It is increasingly becoming a question of product responsibility over the entire lifecycle.

Why embedded modules are being reassessed right now

Pressure on device manufacturers is currently growing from several sides at once. Security requirements are rising, products must remain maintainable over long lifecycles, and at the same time development windows and time-to-market are shrinking in many markets. Connected devices no longer must convince only at design-in. They also have to remain updateable later, be traceably securable, and be organisationally manageable in an emergency. The CRA places this lifecycle concept at the centre.

Especially in this field of tension, embedded modules are gaining attractiveness. They do not only provide communication functionality, they also bundle complexity at a strategically important point in the product architecture. So it is no longer only the question of whether an embedded module can map communication, but how robustly this function is organised over the entire lifecycle. Where previously protocol support, integration effort, and time-to-market were the focus, today updateability, security architecture, and verifiability are also moving into the evaluation.

“Cybersecurity cannot be added afterward,” says Thomas Rauch, Chief Technology Officer (CTO) at Hilscher. “It has to be integrated into the architecture from the beginning – in hardware, software, and management systems. That is why every secure architecture starts at the device level. Every vulnerability that exists here renders all downstream protective measures ineffective.”

Security becomes a guiding principle at the protocol level as well

That this shift is not only regulatory, but also technological, is shown by a look into the major Industrial Ethernet ecosystems. At the protocol level as well, security, verifiability, and lifecycle capability are gaining weight.

A look at the most important protocol technologies shows this:

PROFINET

The PROFINET protocol is already a good basis for CRA compliance today. For security, however, there is no one-size-fits-all approach – PROFIBUS & PROFINET International (PI) says that as well. The PROFINET Security concept is therefore divided into three classes to secure industrial networks and focuses on protection against unauthorised access (DCP protection, signed GSD files), ensuring communication between authenticated devices (integrity & authenticity), and data encryption to protect IO data (confidentiality).

EtherCAT

Although the EtherCAT protocol inherently offers a small attack surface for malware because it processes Ethernet frames and is therefore clearly separated from IT-based infrastructure, the EtherCAT Technology Group is also working on protocol extensions for EtherCAT applications with very high cybersecurity requirements. In addition, a dedicated certification authority is to be established so that EtherCAT components can be uniformly signed and authenticated.

EtherNet/IP

ODVA has created a framework for CIP Security, an extension of the EtherNet/IP protocol standard, with which identified vulnerabilities can be appropriately disclosed and addressed. As the most important requirements in this context, ODVA names security-by-default, protection against unauthorised access, and the confidentiality and integrity of transmitted data. For this purpose, CIP Security extends the Common Industrial Protocol with TLS/DTLS encryption and certificate-based authentication to secure both TCP- and UDP-based communication.

For device manufacturers, one thing is decisive: The choice of a communication solution today is no longer only a question of network connection. It is increasingly also a decision about security architecture, feasibility, and future regulatory capability. The details differ depending on the protocol, but the direction is similar: Security mechanisms are described more bindingly, requirements are defined more precisely, and their practical feasibility in the product context is brought more strongly to the forefront.

Which integration strategy device manufacturers must choose now

Against this background, the question of integration depth is moving more into focus. Embedded modules occupy the intermediate position between deep SoC design-in and finished communication building blocks such as PC cards or external solutions. Especially this mid-level integration stage can be attractive today: It helps limit development effort and time-to-market without manufacturers having to completely redevelop every protocol and security function themselves from scratch.

At the same time, an embedded module is not the best choice in every case. Those who strive for maximum control over the architecture, want to realise extreme cost scaling, or address only very simple communication requirements may be better served by other integration approaches depending on the application. The strength of embedded modules therefore does not lie in always being the best solution. Their strength lies in becoming a particularly robust compromise for many device manufacturers under rising security, update, and integration requirements.

How the change can be implemented in practice

Using the example of the comX 90, a multiprotocol-capable communication interface from the German-based industrial communication specialist Hilscher, it can be shown how a modern embedded module can respond to these changed requirements. As a compact device solution

(formerly slave), it addresses exactly the needs of many device manufacturers to integrate industrial communication quickly into existing device architectures without having to specialise themselves down to the deepest level in every protocol and security question. The added value of such modules thus lies not only in connectivity, but in the more predictable control of complexity at a point that is becoming increasingly important for the future viability of the product.

If communication modules increasingly become carriers of higher integration and security requirements, this development is likely to continue in future module generations. An early look at future communication technologies such as the new netX-900 generation of controller-capable (formerly master) network processors from Hilscher can therefore make sense. Not as a product promise, but as a gauge of where the role of industrial communication modules is developing.

Connectivity alone is no longer enough

Industrial communication is being reassessed today because it no longer only organises data transmission, but increasingly also carries security, updateability, and regulatory robustness. The CRA does not cause this change alone, but it gives it a clear temporal and regulatory framework: Products with digital elements are to be designed securely, maintained, and, in the event of incidents, also managed organisationally over their lifecycle.

This also changes the role of communication modules. They are no longer only integration aids, but a strategic component of the product architecture. Those who develop industrial communication today therefore no longer decide only about connectivity, but about the future security and regulatory capability of their product.