Retrofit under EU requirements: How Perinet securely connects legacy systems

Hello, dear friends of IoT. If you are a manufacturer, you need to retrofit existing systems so that data can be read and provided securely and in compliance with the law. Who says so? The European Union. Since September 2025 there have been clear regulatory requirements. You will now hear when these take effect or whether they already apply. As always, we share hands on insights from real customer projects so you can retrofit your systems and devices step by step. For example, if you have a Modbus interface or other connectors and want to ensure secure data transmission without having to replace entire devices or systems. Who could explain this better than an absolute expert in integrating sensors and actuators into the IP world?
Joining us today is Dr.-Ing. Karsten Walther, Managing Director of Perinet, a spin off from the Harting Group. You probably know Harting as a world leading provider of industrial connectivity. You can find all information about this episode and about implementing your projects at www.iotusecase.com or in the show notes. And with that, let us head into the studio.

Hello and a warm welcome, Karsten. How are you today? Great to have you here.

Karsten

Hello, I am very well, thank you for the invitation. It is an extremely exciting topic that really moves me. I am happy to talk about it today.

Very nice. How was your week? Do you have anything planned for the weekend?

Karsten

The week was still a bit shaped by a cold, but the highlight is coming this weekend. I am going back to the motocross track with my son. That is always a highlight.

That is great, especially when you can do it with your kids. Awesome. Do you ride yourself, or is it just him?

Karsten

Yes, I started that nonsense during my midlife crisis and took him along. At some point he wanted to as well.

Nice, that is something for me too. I also ride a motorcycle, but I have not tried motocross yet. That goes on my bucket list. Cool, let us start with you for those who do not know you yet. You have a technical background in computer science and electrical engineering.
What is your personal motivation when it comes to IoT? Do you have highlights from the last one to two years from your projects?

Karsten

I am a child of the nineties, the era when the internet emerged. We experienced all stages of its evolution, the commercialization in the 1990s, then DSL, broadband, iPhones, edge computers. We saw each of these leaps. What has been missing so far is the connection to the physical world, to sensors and actuators. The ideas for this existed back in the nineties, for example how to integrate such components into an IP world. Now we are at the threshold where the technology is available. This allows us to take that step. We are at a growth threshold of the internet, and that is incredibly exciting.
In our projects we see this awareness arriving in companies. IT is reaching ever deeper down to the sensor. You asked about highlights. A major topic is the European Data Act and the Cyber Resilience Act. Companies are starting to derive concrete questions from these. In the past we talked about security in abstract terms. Now companies come with very concrete challenges, for example operators of plants with old Modbus systems that previously ran in isolation. Due to the European Data Act they must provide the data to the operator or owner, and do so securely. These systems were never designed for that. This is a highly exciting challenge and an ideal application field for our technology.

Do you have an example from your customer conversations or projects that makes this tangible?

Karsten

I cannot name the specific customer, but it is about a company with many cooling units at different sites. The operator notices that energy consumption varies greatly between sites, although the conditions are essentially the same. The device control comes from a plant manufacturer, and the relevant data are stored in that system, in other words information about which unit ran when and for how long. Only with this data can the operator trace where the higher energy consumption occurs and how to reduce it. Now the manufacturer must provide this data to the operator because it is usage data. It therefore belongs to the user, and the user must be able to see transparently what is stored about their usage. This data must also be provided free of charge and in a secure form.

There were several interesting points in there. I will take “free of charge” as a keyword, that also touches business models. Did I understand correctly that in this case you work with different customers and one of the projects is about cooling systems? So the operator uses the equipment in their own operation, right? So it is about the usage and provision of operating data?

Karsten

Exactly. This is data belonging to the user, from which profiles or even personal information can be derived. This data is stored in the systems, and it must be made transparent which information is captured, and access to it must be granted.

Under the EU Data Act, as I have understood it so far, manufacturers, for example a cooling equipment manufacturer, must grant their customers access to device data. For example to energy consumption data, as in your example. So it is about data access. And the law, as far as I know, has been in force since September 2025.

Karsten

Exactly, that was on September 11 of this year. That is when it came into force.

And what does that mean concretely? Why is this a challenge for many manufacturers?

Karsten

Many of the systems installed today were conceived in the 1980s. In this environment, Modbus or RS485 is the standard, and there are very many devices that use exactly these protocols. This technology is not being updated across the board, especially not the controllers. Often these are devices that are not internet capable or have no network interface. Keeping the existing components makes it difficult to meet the new requirements. A complete replacement would be very labor intensive. The plant manufacturer would have to replace their technology extensively, and device manufacturers would also have to redevelop devices that have been sold and in use for years. Whether that will happen is questionable, because economically it often does not make sense.

[08:09] Challenges, potentials and status quo – This is what the use case looks like in practice

What should I do to secure existing systems, sticking with the Modbus example? Are there recommendations or best practices to avoid a regulatory problem?

Karsten

It is less a purely regulatory problem, rather there are many approaches to securing Modbus segments. A common argument is: Modbus runs separately from the corporate network, therefore it is safe. That is not true, because the Modbus cable runs across the plant and is physically accessible. You often cannot ensure access protection for this cable, which makes it compromiseable. This argument is therefore not valid.

Just to be clear, by separate network segments you mean separate IT networks, for example a dedicated network for logistics devices and another for the corporate network?

Karsten

In the corporate network there are subnets with encrypted IP communication. The Modbus devices, however, are often not part of this network, they are connected via a gateway using Modbus.

And then they go out to the manufacturer?

Karsten

Exactly. The problem is that from this device a cable runs to other devices, and this cable is accessible. Virtually there is a separation, meaning I cannot access the Modbus segment directly from the corporate network via data communication, I have to go through a gateway that is hopefully protected. In the case of Modbus this is often not so in practice, although it would be possible in theory. What matters is physical access. If an unprotected channel is physically accessible, it can be manipulated at will and is therefore not secure.
Another approach that is often discussed is to secure Modbus communication itself. However, that has many drawbacks. On the one hand it affects traffic on the line, because Modbus typically operates at only 100 kilobits per second. On top of that, all devices would have to be updated, and that is where the problem lies. There is an enormous variety and number of devices that would all have to be brought up to date in order to communicate securely over Modbus. In addition, bandwidth problems can arise if you add encryption when the line is already at capacity. Therefore, in practice this will hardly be implemented, because adapting all devices is simply not realistic.

Is there a reason you focus specifically on Modbus? It is one of the oldest industrial communication protocols. What if I, as a manufacturer, use other systems or interfaces? Is that also a problem, or does this only affect Modbus?

Karsten

I mention Modbus because it is extremely widespread. The topic also affects other fieldbuses such as CAN bus. In vehicles the transition to Single Pair Ethernet is already taking place, including in the truck and trailer domain. In principle what I said applies to all fieldbus systems. Modbus is simply the most widely used fieldbus in industry, especially in the areas we work in.

Perhaps a brief orientation for everyone who is not familiar with Single Pair Ethernet: It is essentially a networking technology that transmits data and power over just one pair of wires, right? Previously there were more conductors. Do I have that right?

Karsten

Exactly. With classic Ethernet or Fast Ethernet we had two wire pairs, so four conductors. With Gigabit Ethernet it is eight conductors or four pairs. With Single Pair Ethernet, as the name suggests, we can transmit data over only one pair. That is particularly interesting for existing Modbus installations, because the existing cabling can be reused. The real core of the technology, however, is miniaturization. Over the last 30 to 40 years controllers and chips have become ever smaller. Today a server fits on the size of a fingernail, yet the network interface has stayed the same size in that time, especially the magnetics section, the part with the coils. With Single Pair Ethernet that part now becomes significantly smaller. This creates an entirely new device category that can be connected directly via Ethernet for the first time. That is the real added value. Of course it is nice to have only one pair of wires, but the biggest advantage is the reduced electronics of the communication interface.

Super interesting. I will not go deeper into the tech now, but if you are listening and find the topic exciting, I will link Karsten’s contact in the show notes. I think LinkedIn is a good place to exchange details, including questions like why a gateway may no longer be needed or what other advantages there are. You are warmly invited to reach out directly to Karsten if you want to learn more.
Back to the EU Data Act for a moment. What would be your three most important points, for example for a cooling unit or another connected system?

Karsten

The main attack surface is the cable, because with Modbus it is often routed across entire plants or through different rooms. I therefore have to enable encrypted communication over that cable. I can do that in different ways. One option is to lay completely new network based infrastructure. With Single Pair Ethernet, however, I have the advantage that I can continue to use the existing cable. You can communicate over it with high bandwidth, and the channel can be encrypted. For that you place an adapter in front of each device that takes the Modbus RTU signal, translates it into the Ethernet world, and encrypts it. So you only need to update the individual stations, and additionally place a corresponding device in front of the controller. This secures the entire cable segment, communication runs encrypted, and you only need access control for the respective devices.

Can I even implement this as a manufacturer? After all, I have sold the cooling unit and am initially out of the data loop. That would rather be something the end customer has to do, right?

Karsten

Exactly, that lies with the end customer or with the customer’s system integrator who carries out the retrofit.

I see. So as a manufacturer I cannot retrofit anything myself because I no longer have access to the device, right?

Karsten

The manufacturer can offer retrofit modules that perform exactly this conversion from Modbus RTU to Single Pair Ethernet. In the long term the manufacturer can of course also further develop the devices and replace the Modbus RTU interface with an Ethernet interface directly. It is unlikely, however, that all devices will be redeveloped in the short term. That is why brownfield solutions are needed that enable a step by step upgrade and support a mixed operation of old and new devices.

Exactly, and that brings us to you. You at Perinet are active in IoT hardware. I believe you have a so called Smart Adapter, right? I think it is called the periNODE Smart Adapter. With it you can turn a Modbus device into an active network participant, basically a plug or adapter, right?

Karsten

Exactly. It is an adapter where you connect the existing Modbus RTU device on one side. On the other side you have the Single Pair Ethernet interface. The data is then transmitted via Single Pair Ethernet. This is particularly suitable for industrial environments where M8 screw connectors are used. We are also working on a solution for the building sector where terminal blocks are more common. Single Pair Ethernet is very interesting there as well because it does not necessarily need a plug. You can also land it on terminals.

So if you are wondering what to do: First, check your cables, that is what we have learned. And Perinet offers suitable IoT hardware, such as the adapter with which devices can be connected securely. Of course there are other solutions on the market, but this is one approach to securely connect existing devices in line with the EU Data Act.

Karsten

Exactly, and a very important point is the software. We often talk about these small devices themselves, the hardware, but they are in fact active devices. A large part of the software runs on these devices. Modern security mechanisms are implemented there, for example for encrypted network communication and for authenticating devices or users. That should not be forgotten. I always say: In development in this field roughly one third of the cost is hardware and two thirds is software. If you have not worked on security before, that is a substantial challenge.

Do you mean IoT software here as the operating system that runs on the adapter?

Karsten

Exactly. It is essentially a small server in a very compact form. And like any server, it runs software that is active on this node.

Perfect. Then our first learning is the topic of cabling and hardening. What would be your second point that should definitely be considered in this context?

Karsten

Network security, definitely. You should understand how it works and how to make it manageable, because with IoT there is always network communication. In many conversations I notice that this makes some people nervous. I want to take that fear away. My favorite example is messenger services. At the beginning there were encrypted and unencrypted variants, and the encrypted ones were often hard to set up. Today they are commonplace and easy to use. It can work the same way in industrial environments.
In the IoT space it is crucial that the typical installer who used to set up Modbus segments is also able to establish a secure network connection without always having to call in an IT expert. That is possible if the software is designed properly. So you should actively address this topic and develop simple, practical solutions that can be operated in the field. It is not just about how to lay cables or connect terminal blocks. Network communication is a new layer that you have to understand and integrate into the overall concept, including appropriate training for users.

Karsten, you are also exhibiting at SPS in Nuremberg, right? I believe you are showing quite a bit in this direction. That would be a good place to dive deeper. Do you have a booth there?

Karsten

Definitely. We are showing our live systems there, and you can see how they are operated. That is exactly what matters to me. With security, many people immediately feel apprehensive or think it is complicated. But it is not. It is simple and safe.

Very good. I will include the exact location of the Perinet booth in the show notes. Do stop by. We also have an IoT meetup on the Tuesday of SPS, a networking event. That is November 25 at 4 p.m. at our partner Endress+Hauser’s booth. You can meet Karsten there, our team will be on site, as well as many users from the network. If you are listening later or are not at the trade fair, no problem. I will put the contacts in the show notes. Feel free to get in touch.
We also have a community for exchange. You are welcome to join, the link is in the show notes. I look forward to welcoming you to the network. Learning number one was cabling. Learning number two is network security. Can we add a third point that should definitely be considered for retrofit strategies?

Karsten

Choose a retrofit strategy that proceeds step by step. Do not replace everything at once, otherwise you will quickly be left with a mess. In this environment a staged approach is very feasible and reduces risk. Start with the first system or a selected device, gather experience, and then roll it out step by step across the plant. Avoid solutions that demand a complete switchover in a single step.

What does such a step by step approach look like in concrete terms? How do your customers do it?

Karsten

Roughly speaking, the first step is to secure the communication. To do that, you install an adapter in front of each controller or field device as well as in front of the main controller, which serves as a bridge to the network. That way communication over the former Modbus cable is secured. Nothing about the actual system changes. The controller remains the same, and so do the devices. The program running on the system also remains unchanged. The installation continues to operate as before, but is now securely connected.
After that you can start implementing the requirements of the European Data Act, meaning safely extracting the data and providing it to the operator or owner of the installation. Then you can proceed step by step and replace devices to turn them into real IoT devices that no longer communicate only via Modbus but identify themselves as independent participants on the network. This can happen either via the same adapter by loading software updates there, or via new devices in which the computing technology is already integrated so that they act like small servers on the network.
This allows the system to be transitioned into IoT applications step by step. A natural next step is to virtualize control in the cloud. This is an advantage especially for systems that exist in large numbers, because then the question is when and how to roll out new software. With centralized cloud control, rollouts can be carried out much more easily and safely.

So the third aspect is, choose your retrofit strategy step by step. What does the typical end result look like for the customer? In other words, the interaction of your Perinet components and, if applicable, security consulting, what does the user actually see in the end?

Karsten

At present, every project also includes consulting services. The whole field is developing rapidly, and there is a lot of marketing with partly contradictory statements. That is why consulting on integration is always an important component alongside the product business. The outcome for the customer is, first and foremost, security, both technical and operational. Operators should feel comfortable with the solution and trust that their data communication is secure, even when old systems and modules continue to be used. With a step by step approach you can achieve a great deal with small measures. This allows the customer to learn what they really need and to expand step by step.
If, on the other hand, you choose a complete solution that immediately changes the entire system architecture, it becomes difficult to define the right requirements. Many aspects are not yet known, and you risk setting the wrong priorities or overlooking important points. I like to compare this with range anxiety in electric cars. People who have never driven electric often worry about being stranded. Those who have driven for years know that this fear is unfounded. It is the same with large IoT modernizations. If you change everything at once, you take on unnecessary risk. With a step by step approach, investment security increases. Customers know better what they need and can proceed step by step with small, plannable budgets instead of making one huge investment all at once.

That is a good summary. Do you have any final learnings or typical pitfalls from your projects over the last one to two years, things where you would say this is not the way to do it?

Karsten

Basically it aligns with what I just said. This is new territory for both worlds. On one side you have automation engineering, which suddenly has a faster fieldbus but sometimes does not really grasp what IP communication is. On the other side you have IT administration, which considers this its domain. In practice this often means the central IT department suddenly gets involved in topics like issuing certificates or keys for plants. Then processes arise that are far too cumbersome. The installer sets up a device, has to create a ticket with central IT, and receives the certificate two days later. In that time the machine may be standing still. Situations like this have already led to frustration in projects.
That is why it is crucial to clarify responsibilities early. IT needs to understand that a technician in the field should be able to handle network capable devices as easily as people use a messenger today. At the same time technicians need to understand that this is not just a faster fieldbus, it is a completely different kind of communication inside the devices.

[27:04] Transferability, scaling and next steps – Here’s how you can use this use case

Where do you think this topic is heading? What is coming our way?

Karsten

It is actually hard to keep both feet on the ground with this vision. As the network pushes out to the edge of the physical world, real smart environments can emerge in which we interact with things and our surroundings in a completely different way. In the digital world we usually do not communicate directly. We first go to the boss, meaning the cloud, and only then are we allowed to talk to each other. The moment I have a smart environment it works like in real life. We meet in a room, introduce ourselves, and start a conversation. We know ourselves what we are talking about, what we may say, and what must remain confidential. This creates a completely different usage pattern. We do not have to ask anyone whether we are allowed to talk to each other. This simpler, changed mode of communication alone can lead us to interact with the world in a very different way. Perhaps similar to a metaverse, except that it actually happens in reality. Whether that will already be the case in five years, I do not know. Ultimately this is the vision. We are bringing Ethernet and end to end communication to the very edge of the physical world. That will change the world, just as every previous evolutionary stage of the internet has changed it. In 2007 I did not know what it would mean for a phone to have no keyboard.

I can well imagine that this brings enormous complexity, especially in the IoT segment. When you suddenly have hundreds or thousands of devices and perhaps link live data with AI applications, it becomes a technical and organizational challenge. In some projects in our network we are already seeing the first applications where AI accesses live data directly. If you imagine a service in the cloud, say in Azure, querying a cooling unit directly, the data must travel the whole path there and back securely and reliably. Ensuring that technically will be a real challenge.

Karsten

That will definitely be a challenge, and IT needs to be involved as well. Over the past decades the internet has become highly centralized, everything has moved toward the cloud. With IoT that changes fundamentally, because suddenly there are thousands more servers directly in the field. Data flows no longer go only in one direction to the cloud, but increasingly locally as well. In the future I will address the server on site rather than the one in the cloud. Coordinating this new data direction and how systems react to each other is a major task. A good example is the browser. How does it ensure that a local device is trustworthy without asking a central authority who owns it? There will be many exciting developments in this area. Solutions will emerge, but what I find even more interesting is how the world changes once these systems actually run. To be honest, today I do not know exactly what this will look like in five or ten years.

Especially when you consider that many operator architectures also include the manufacturers’ clouds. Manufacturers, especially in the sensor space, often bring their own cloud systems that must be integrated into the infrastructure. That leads to high complexity because multiple clouds have to communicate with each other. You have to think through this architecture carefully to keep it manageable in the long term.

Karsten

That is true, but much can also be simplified. When I look at my setup at home, inverter, battery system, heat pump, and electric car, these devices could communicate locally with each other. Why would I still need the manufacturer’s cloud for that? If the systems could talk directly, many things would become simpler. Essentially it is like real life. We say hello to each other on the street. In the future devices will say hello to each other in the digital realm. That can simplify the entire interaction significantly.

I also think a lot will change in the coming years. Especially the topic we had at the beginning, the free provision of data, will play a major role. In recent years almost every manufacturer has offered their own cloud, yet many end customers want to keep data sovereignty. I think we are moving away from the idea that every manufacturer needs their own cloud, toward secure interfaces that simplify data exchange. What you describe fits exactly with that. And it can be implemented with your products, which I find very exciting.
Before I go too deep:Thank you, Karsten. I found the conversation really exciting. Today we looked at what the EU Data Act means in practical terms and shared some clear recommendations for action. I will include the primary sources and links to the EU Data Act of the European Union in the show notes if you want to dive deeper into the topic.
I will give you the last word, Karsten. Thanks for joining us, maybe we will talk again next year for a new episode.

Karsten

Yes, I would be happy to. It is an incredibly exciting topic, and I am sure development will continue. We should make the best of it.

Very good. Then I wish you a great week, take care, bye.

Karsten

Bye!