The 2024 EU Cyber Resilience Act (CRA) is creating new hurdles for manufacturers operating in the European market. Complying with the CRA requires cybersecurity practices to be integrated into the development process for all products with digital elements. Without CRA compliance, manufacturers will not be able to attain their Conformité Européenne (CE) mark. Without the CE mark, they will not be able to import or sell products in the European Economic Area.
In many cases, implementing cybersecure operations is more challenging than it sounds. The imperative collides with longstanding challenges where information technology (IT) and operational technology (OT) converge.
As operations teams have faced increasing pressure in recent years to incorporate more external data into their OT networks to drive analytics, efficiency, and business responsiveness, they have struggled with the complication that most OT environments contain high volumes of legacy equipment not designed for the high-stakes cybersecurity environment that exists today. Teams need a solution to secure and streamline legacy equipment communication while also allowing more connectivity to the world outside the plant.
Retrofit Is Not Always Realistic
Modernization is often constrained by installed base realities. Legacy equipment will often be in the field because updating every asset is expensive, time-consuming, and unrealistic, given staffing challenges, limited maintenance opportunities, and poor returns on the upgrade investment.
Yet in many cases, there is no feasible way to secure legacy devices directly. For example, protocols like Modbus lack inherent security. And while newer protocol variants like Modbus TCP are more secure, the systems are often not backwards compatible, so upgrades do not solve the problem.
Traditionally, OT teams have met this challenge with air gapping. Engineers have built a model of strict isolation, where legacy devices — and, often, the entire OT network — are detached from the internet. If no communication is possible, the systems are, theoretically, inherently secure. However, that strategy is now struggling to meet modern operational standards.
Pure Air-Gapping Stymies Efficiency
Modern operations require more than effective equipment and process management strategies. Today’s most effective manufacturers are operating in an increasingly competitive marketplace. These teams need to squeeze every ounce of efficiency possible out of their operations, and doing so requires access to more data for optimized operation, forecasting, and real-time operational adaptation to market factors and plant realities. All these capabilities require some controlled connectivity.
Today’s operators depend on live external data: weather forecasts, supply information, market conditions, customer demand, energy prices, and more. In addition, OT systems increasingly need to interact with business systems — manufacturing execution systems, enterprise resource planning systems, and supply chain platforms — to ensure business continuity and track and trend performance against organizational metrics.
Customers are also increasingly expecting real-time visibility and digital engagement with manufacturers to help them manage their own supply chains. This can necessitate up-to-the-minute process data leaving the OT network for the cloud.
If executed without careful engineering, exposing OT networks directly to internet connectivity creates unacceptable cybersecurity risk, an exacerbated challenge when navigating in the CRA era. Fortunately, modern technology provides a solution: industrial edge software.
A Safe Bridge Between OT Isolation and IT Connectivity
An edge software layer is the ideal architectural decoupler that preserves security while enabling data movement between OT and IT networks. Modern edge software is specifically built to help OT teams move toward digital transformation without disrupting existing plant systems. It is typically available both as a software solution and pre-integrated into many edge controllers and industrial PCs.
Edge software sits between OT networks and external networks, acting as a controlled buffer with secure inbound and outbound communications. The software can pull or receive pushed data from the OT network without exposing OT devices. It can also push predefined incoming data directly to control devices on the OT network.
Outbound data from the OT network travels through a secure, CRA-aligned, predefined pipeline. In addition, any incoming data to the OT network is strictly limited to safe, bounded parameters, as opposed to control commands. This enables advanced optimization and analytics without putting OT assets at risk. Any questionable data — intended as an attack or not — would simply run the process sub-optimally instead of allowing scenarios like a shutdown or overload.
The Edge in Action
While there are nearly unlimited uses for edge software at the IT/OT convergence, many organizations are using the technology to optimize operations to unlock the most elusive performance gains. Edge software can provide controllers with the parameters necessary to begin closing the loop on automated response to changing needs and environmental factors.
Water Plant
For example, consider a traditional water plant managing water pumping across a wide array of weather conditions. Many of these sites today rely heavily on programmable logic controller (PLC) technology to manage pumps and alarms with minimal external intelligence. Such a process has been effective for decades, but an edge controller can use its powerful software to further improve performance. The edge-enabled solution could ingest weather forecast data from an external network and inform the PLCs to run pumps before a storm to create extra capacity. The benefit is likely incremental but can add up over time.
Key to this solution is using securely designed edge software that ensures only a few safe parameters are passed to the PLC. The edge controller does not allow remote operation of the pump. It simply passes collected parameters to the control logic, and the logic determines strategy based on the result.
The benefits of the solution are the potential that the system prevents overflow, increases efficiency, and improves operational uptime. More important, however, is the worst-case scenario. If the input data is imperfect due to error or malicious tampering, the plant likely misses the increased efficiency, but nothing catastrophic can happen because the PLC logic still governs safe operation. No external control of the PLC is possible due to the security of the edge software.
Bottling Plant
Another example of how edge control can improve business and operational outcomes can be seen in a bottling plant. Traditional operations — using quarterly or monthly forecast inputs to determine production metrics — creates a process with slow responsiveness. If the organization under- or overestimates demand, product may sit on shelves for a long time, leading to slow cost recovery, reduced shelf life, or even wasted product.
With edge connectivity, order data can flow seamlessly and securely into the system. Production can automatically adjust output mixes in real time based on demand signals. The potential benefits are better inventory management and more efficient resource allocation.
Moreover, as in the water plant example, security is maintained. Only safe parameters are passed to production — not control commands — so the only potential negative outcome is miscalculated production, not a catastrophic failure or safety incident.
Unifying Legacy Devices Under Modern Protocols
The most powerful edge software is also a key contributor to solving the multi-protocol fragmentation that plagues OT environments. A typical plant can have many different control devices using a wide array of protocols — some secure and some not. Advanced edge software can ingest data from more than 40 protocols, normalizing that information and republishing it in a modern, secure, open protocol like OPC UA or MQTT.
This ability to work as a protocol translator creates a clean, IT-friendly data layer atop the OT network without the need to rip and replace legacy devices. It also provides an OT-centric repository for critical OT data, making it far easier for multi-functional teams to access and leverage operations information to drive operational excellence.
Designed for Ease of Use
Modern edge software solutions are designed to reduce friction and accelerate adoption, leading to faster return on investment. Today’s most advanced edge platforms leverage drag-and-drop configuration features with prebuilt blocks for common applications such as temperature, alarms, visualization, analytics, and data mapping. These tools make it far easier for teams to map parameters and integrate solutions with OT logic. Once the data mapping is understood, edge design is no more complicated than configuring any other control loop.
The software is also designed to simplify the connection between OT and IT teams. Edge devices collect data from all OT sources, clean and contextualize it, and translate it to modern, secure protocols. This single-protocol output creates a clean data spine that IT teams can use to securely gather data from OT systems. The architecture supports CRA-aligned documentation and traceability and ultimately promotes better IT and OT collaboration.
Uptime, Security, and Performance Do Not Need to Conflict
The CRA is accelerating the shift toward secure-by-design OT architectures. While this does create challenges due to the legacy equipment OT teams rely upon, it does not mean OT cannot adapt to modern strategies, nor does it require replacement of all legacy technology. Edge software preserves the critical OT air gap while enabling the data flows that modern operations require. With secure edge control, effective protocol translation, and IT/OT alignment, organizations can achieve both peak uptime and peak efficiency. In today’s more complex industrial environment, that is not just possible — it is essential.
This article was written by Alan Mathason, Senior Project Manager for Controls and Software and Daniel Smith, Senior Product Manager for PACSystems Controllers, Safety and Motion Control, at Emerson (St. Loius, MO). For more information, visit here .
