The Power of Electronics in Cybersecurity

By AJ Born | June 17, 2025

Critical infrastructure and factory automation are among the most common targets of cyberattacks. Building cybersecurity into these systems is as necessary as any performance or safety measures.

Cyber-attacks have become an increasingly complex, sophisticated, and high stakes threat. Industrial cybersecurity is evolving to meet the challenges of protecting systems and assets, ensuring safety, and preventing financial loss. This involves multiple layers and participants, including component manufacturers, system manufacturers/service providers, and system operators.

The number one framework for managing cybersecurity is NIST CSF, said George Reed, a solutions engineer and Global Industrial Cyber Security Professional (GICSP) at Phoenix Contact.  Next, he said, is IEC 62443, a holistic standard that guides the manufacturing of “secure by design” devices, the specification of parts by service providers, and the security practices of end users. Secure by design, a key feature of IEC 62443 4-1 and 4-2, is a comprehensive approach that defines procedural and technical measures.

“We help people implement these different frameworks or decide which products to choose to put into an application,” said Reed. “We follow the 62443 4-1 and 4-2 standard in the development of mostly anything that has communications or an interface built into it. Think switches, routers, wireless devices, and controllers. We develop and follow that lifecycle with security first and foremost. Each of those items has features to implement different types of security controls, such as encryption, authentication, and changing default passwords, that go into the system design.”

For example, designing a secure network application might start with designing a network that controls a manufacturing line with the proper zones and conduits, configuring the products that go in the network. “We’ll inject cybersecurity into the conversation — to make this a secure network you need to do X, Y, and Z,” said Reed.

Manufacturers who sell into the European market are required to comply with CRA (Cyber Resilience Act) by December 2027 to get the CE approval on products. Additionally, NIS 2 (Network and Information Security directive) which took effect in October 2024, applies to companies within the EU and impacts internal business security processes. On August 1, 2025, manufacturers of all devices containing radio technologies must comply with new cybersecurity requirements under the EU’s Radio Equipment Directive (RED) 2014/53/EU.

The issues and risks confronting system operators

Critical infrastructure, water/wastewater, electric power, and oil & gas are among the biggest entities at risk and in need of extra security. Traffic systems, rail, and transit systems are also targets, along with manufacturing facilities. Bad actors can shut down substations and drop entire sections of the country off the power grid. A manufacturer locked out of one of its lines due to a ransomware attack can lose millions of dollars a day. According to the EPA, unauthorized remote users can compromise water and wastewater treatment facilities by exploiting the Human Machine Interfaces (HMI) to view and adjust real-time system settings, potentially disrupting the water and wastewater treatment process. Having security built into these systems maximizes its effectiveness.

“OSINT (open source intelligence or open source internet research) provides the ability to investigate companies and identify targets. Someone can take a block of IP addresses and try different attacks to see if anything gets by and then follow up with a more coordinated attack after they do some research,” said Reed. Fortune 500 companies are attractive targets because they have a lot of money and resources, but small to medium organizations are also at risk because they are less likely to have much security in place. Depending on cost, it might make more sense for companies to pay that ransom than to redo their whole system, which could be very expensive. “If the ransom is $200,000, but it will cost $500,000 to replace their system, they’re going to pay it,” he added. This, of course, is a less than ideal solution, and should motivate companies to take a proactive approach to their security.

Considerations for developing cybersecurity systems

Budget is, perhaps, the primary consideration, said Reed. “If the budget doesn’t exist to actually implement the measures necessary to protect the system, they need to go back and come up with a game plan.”

The second consideration is whether they have someone on staff to oversee this. “I always ask if they have somebody able to manage and implement the practices outlined in the frameworks,” Reed said. Security needs are constantly evolving. Ideally, keeping on top of new developments and tracking the new CVEs (common vulnerabilities and exposure) on products in the network would be someone’s primary responsibility. Sometimes, however, it is shared by the IT and OT departments. Or sometimes a facilities manager has to wear that hat.

Phoenix Contact’s 360° security concept begins with development, adhering to IEC 62443 4-1 and 4-2, for its products. “The products themselves have those security controls in them, during their entire life cycle,” said Reed. “Our product development group continues to do iterations of firmware updates for those products, while my group focuses on building solutions out with cybersecurity in mind. Our Product Security Incident Response (PSIRT) team watches the market for emerging threats, determines how those apply to our products, and sends out notifications of new CVEs to help customers ensure their security going forward.”

Reed next tries to get an understanding of where the company is in terms of security maturity, then makes suggestions based on that. Many different questions illustrate what that network actually looks like and what the starting point is. How much do they know about cyber security? What do they have in place now? What are their policies and procedures? Do they have legacy products? Are they doing asset tracking? Are they updating firmware? Do they change default passwords? Do they have VLAN setup? Do they have any segmentation? Is it a flat network? Is it air gapped?

Reed said he also asks: What are your crown jewels — your most important assets — and how are you protecting them? Do you have them segmented? Do you have them micro-segmented? Do you have firewalls in place or is it just a part of the entire flat network? What does that look like? “After identifying where they are, then we can start to make that plan for moving forward and implementing new practices.” This includes writing policies and adhering to X, Y, and Z and ensuring that they’re using common practices such as the principle of least privilege, meaning that users have the minimum amount of access and permissions to do their jobs. “We encounter a wide range of people, from those who know nothing about cybersecurity to those who are well practiced and well-versed in cybersecurity and just might need some help implementing our products into their network,” said Reed.

BACnet SC and building automation security

As building systems like HVAC, lighting, shading, and access control become increasingly connected to the cloud, they also become more vulnerable to cyber threats. This connectivity, while enabling remote management and data-driven optimization, opens potential attack surfaces that malicious actors can exploit. BACnet Secure Connect (BACnet/SC) addresses these vulnerabilities by introducing a secure, encrypted communication layer to the BACnet protocol.

BACnet, an open-source data communication protocol for building automation and control (BAC) networks, was developed by ASHRAE (American Society of Heating, Refrigerating, and Air Conditioning Engineers) for interoperability of devices from different manufacturers on a building network. BACnet standardizes device communication and integration. BACnet/IP extends this functionality by enabling communication over Ethernet networks using the Internet Protocol (IP), but relies on the User Datagram Protocol (UDP), which lacks inherent security mechanisms. As a result, systems using BACnet/IP are susceptible to cyber threats such as eavesdropping, spoofing, and denial-of-service (DoS) attacks. While it is unlikely that someone could hack into other systems from the HVAC to gain access to private data, it is not impossible. However, unauthorized control of a building’s main functions, including access, could result in a lot of damage.

“BACnet/SC works the same as BACnet/IP while addressing the security shortcomings of the earlier protocol. BACnet/SC introduces encrypted, authenticated communication using modern IT standards, significantly enhancing the cybersecurity posture of building automation networks,” said Dan Jamroz, business and brand development manager at METZ Connect.

BACnet/SC uses TLS (transport layer security) for end-to-end encryption. In addition, each BACnet/SC device must present a digital certificate to verify its identity. This mutual authentication process ensures that only trusted devices can participate in the network, significantly reducing the risk of spoofing or impersonation attacks. BACnet/SC also uses WebSockets over TCP/IP, rather than UDP. This improves reliability, supports firewall traversal, and aligns more closely with modern IT networking standards. “WebSockets are a two-way, real-time connection between the server and device. Once you get connected, nobody can get in,” said Jamroz.

Another advantage of BACnet SC is that it can communicate with BACnet IP devices. This allows you to upgrade your system to BACnet SC without having to upgrade all your devices. “One important thing to know is that the SC router will allow your IP devices to work properly, but they will not have the SC security features. They will still only have the features they had before,” said Jamroz.

Data transfer speeds impact security

Connectors with high data transfer speeds (10, 16, 25, and even 32+ Gb/s) are critical for cybersecurity hardware because they directly contribute to the performance, integrity, and responsiveness of secure systems that rely on real-time data analysis — including network traffic monitoring and malware detection. Connectors that are too slow are potentially vulnerable to DoS attacks, and cause bottlenecks in encryption and decryption processes. Built-in EMI shielding is necessary for preventing signal degradation, crosstalk, and signal leakage, to resist hacking attempts such as side-channel attacks that exploit signal weaknesses in hardware.

Manufactured with precision in accordance with PICMG COM Express, SFF-SIG CoreExpress, and nano-ETXexpress specifications, EPT’s Colibri 0.5 mm pitch SMT series includes versions capable of 25-32+ Gb/s, meeting the highest expectations for reliability in mission-critical systems.

To learn more about the companies mentioned in this article, visit the Preferred Supplier pages for Phoenix Contact, METZ Connect, and ept.

Like this article? Check out our other Circular Connectors and Standards articles, our Industrial Market Page, and our 2024 and 2025 Article Archives

Subscribe to our weekly e-newsletters, follow us on LinkedIn, Twitter, and Facebook, and check out our eBook archives for more applicable, expert-informed connectivity content.

AJ Born
Latest posts by AJ Born (see all)
Get the Latest News