Industrial IoT: Firmware Loopholes Are an Unpredictable Risk

Market for IIoT set to multiply – IP-based systems have been the focus of hackers for some time now

Bad Homburg v.d.H., July 27th, 2021 – As more and more manufacturing and production facilities are integrated into an IT infrastructure, the market continues to be on the rise thanks to the general increase in digitalization and automation. According to a market study conducted by IoT Analytics, global spending on the Industrial Internet of Things platforms for the manufacturing industry will increase significantly. Growth of 24 percent is expected in 2021, and 26.7 percent in subsequent years. In 2020, a total of $128.9 billion was spent on IIoT equipment. “As investments pontificate, so does risk. Unlike PCs in the network, IIoT devices are implemented with significantly less risk awareness,” explains Florian Lukavsky, IoT expert and managing director of IoT Inspector. The security platform analyzes the firmware of IoT devices and has already published many advisories for concerned manufacturers in the past. Random sampling has revealed serious security vulnerabilities in nine out of ten devices – ranging from routers to printers and even production machines that are integrated into manufacturing facilities.

Stuxnet was just the beginning

The Stuxnet worm was first identified in 2010. At that time, it had already infected a number of industrial plants around the world. Among them was the Iranian nuclear power plant Bushehr. It was not until July 2021 that a new, undefined incident occurred there, which led to the power plant being taken offline. “Stuxnet was an appetizer. There are more than just suspicions that such attacks will spread massively with the growth of IoT technology. Security auditing according to established guidelines is therefore essential,” insists Florian Lukavsky of IoT Inspector. The company has one of the largest platforms for the in-depth inspection of factory-installed device software, known as firmware, in terms of security vulnerabilities. A common problem here is that production computers and other IoT devices often contain OEM technology from numerous third-party manufacturers. This means that the security vulnerability is often hidden and almost invisible to the company’s own IT department, unless a thorough firmware analysis is carried out.

VDMA: Downtime threatens existence

Production plants can easily come to a complete standstill for four to six weeks if a hacker compromises the firmware by exploiting its vulnerabilities. “With all the knock-on effects, this can take up to three quarters of a year. In the end, the company will no longer look the same as it did before,” says Steffen Zimmermann of the VDMA* (German Engineering Federation). Ultimately, this makes any attack by a hacker an existential threat to a company. If the infection is introduced via a firmware vulnerability, the entire network must be shut down. This means that not only production but also administration become inoperative. Often, customers cannot even be informed, as access to CRM and ERP systems is similarly denied. Further digitization in the course of Industry 4.0 can therefore only take place if IT security is an inherent part of the process and integrated as early as the planning stage of industrial plants.

*Article in German


ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.



Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150