Blog Detailpage of the Whitepaper TacklingSoftware Supply Chain Risks with IEC 62443 and SBOM

Experts recommend: Managing Risks in the Software Supply Chain of Industrial Equipment & Products

New expert whitepaper on managing risks in the software supply chain using IEC 62443 and automated software BOMs now available!

DĂĽsseldorf, September 07, 2022 – With a new cybersecurity agenda, the German government wants to improve the security of industrial plants. That, however, does not seem to be materializing, criticizes the German Engineering Federation (VDMA). The association had expected broader support and promotion of resilience in the supply chain. “Unfortunately, the agenda does not meet this claim,” says Claus Oetter, Managing Director Software & Digitalization at the VDMA, the largest network organization and an important voice for the mechanical engineering industry in Germany and Europe, in a press release. ONEKEY, a company specializing in plant and IoT security, confirms this and says: cyber attacks on “Industrial Automation and Control Systems” (IACS) are on the rise. “In the past, IT and IoT systems were the main targets of cyber criminals. But the same threats, such as ransomware attacks and the interconnection of devices into massive botnets, are increasingly affecting IACS and posing a huge and barely calculable risk,” explains Jan Wendenburg, CEO of ONEKEY and operator of one of the leading automated platforms for the automatic analysis of firmware used in industrial plant control systems of all kinds, especially critical infrastructure (CRITIS), as well as networked devices.

Software supply chain needs monitoring

All too often it is made too easy for hackers, ONEKEY’s ongoing analyses reveal. “The internal components of the firmware and software required for operation are often unknown and dominated by a lack of transparency. Making the entire software supply chain transparent is even more difficult when the source code of the affected components is not available. An automated SBOM (Software Bill of Materials) created from the binary code can provide the transparency for everyone and enable the steps that policymakers still shy away from. In this case, the business community has to take over,” says Wendenburg of ONEKEY. To this end, the company has published a white paper that decisively outlines the problem as well as solution scenarios. According to the VDMA, cyber criminals have already caused immense damage to software and digitalization of the German industry with so-called ransomware attacks. The costs of such cyber attacks are said to amount well to millions of euros per day, and production facilities are often at a standstill between four and eight weeks after a hacker attack, according to the VDMA.

IEC 62443 guideline lays foundations

The increased risk situation is leading to growing security requirements for plant owners and system integrators. Since 2009, the International Electrotechnical Commission (IEC) has developed a set of guidelines for the security of industrial automation and control systems: the IEC 62443. “In modern plants, 80 to 90 percent of the code base consists of third-party software components. Since much of the code base is not under the direct control of the vendor, a significant amount of the risk and exposure comes from third-party software components,” adds Jan Wendenburg of ONEKEY. With the automated creation of SBOMs and vulnerability analyses on the basis of the ONEKEY compliance platform, a significant contribution is made to comply with IEC 62443-4-1 ­- with a high level of automation at the same time.

The complete whitepaper “Tackling Software Supply Chain Risks with IEC 62443 and SBOM” can be downloaded here.


ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.



Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150