Increasing networking in mechanical engineering is increasing the demand for cyber security measures. DevSecOps is increasingly establishing itself as an effective approach to integrating security into development and operational processes. The combination of development, operations and security makes it possible to avoid vulnerabilities or detect them early and then eliminate them in a targeted manner.
The successful introduction of DevSecOps requires comprehensive advice and support from specialists such as XITASO GmbH. The company is an expert in high-end software engineering and covers all services along the life cycle of customized software. It supports the development teams of mechanical engineering companies in all aspects of DevSecOps.
Challenges posed by software-supported and connected machines
Software-supported products that connect to cloud services or other machines on the shopfloor via networks are an important trend in mechanical and plant engineering. Process data such as working speed, number of pieces and temperature are transmitted. In addition, there are often remote services that enable remote maintenance and diagnostics. This connectivity comes with challenges. Protecting operating data, recipes or process parameters is therefore a business-critical factor. The 2024 corporate security report from the digital association Bitkom provides an insight into the consequences of cybercrime:
- Around 72 percent of German companies experienced data theft in 2023.
- The total loss amounted to more than 200 billion euros.
- Cyber criminals focus on customer and employee data as well as emails.
- One in three companies has increased the share of IT security in their IT budget to 20 percent or more.
Lawmakers have also recognized the urgency of the issue. The Cyber Resilience Act and other EU regulations require manufacturers to provide concrete proof of the security measures in their digital products. The necessary speed and agility in development make the situation even more challenging. The most important requirement for software development in mechanical and plant engineering: security must be systematically and continuously integrated into all development and operational processes.
Development and operations: DevSecOps as the solution
A practical solution to this challenge is DevSecOps. This concept combines software development, operations and security into an end-to-end process that allows for the continuous review and improvement of security-relevant aspects. Instead of addressing security measures only at the end of a project, they are integrated from the very beginning.
Together with agile development, this concept replaces the traditional approach to designing, developing, testing and deploying software in mechanical and plant engineering. In short, DevSecOps requires comprehensive consulting and support, such as that offered by XITASO.
How DevSecOps Works
DevSecOps is an evolution of DevOps, in which development and operations work closely together. Its goal is to deliver software faster, more reliably and continuously. DevOps ensures a smooth, incremental development process with a high degree of automation and short release cycles.
DevSecOps extends DevOps to include IT security aspects. Developers identify potential vulnerabilities as early as the planning and design phases and implement appropriate protective measures. As development progresses, the focus shifts to secure development guidelines and automated testing.
The DevSecOps methodology includes a range of technical and organizational measures. In addition to classic IT security tasks such as encryption and authentication, process organization is also critical. This includes building automated security pipelines, conducting threat analyses, designing secure architectures and training development teams.
A key aspect is fostering a culture of security. Companies must embed awareness of risks and protective mechanisms throughout the organization – all the way to top management. A shared language for security issues and an understanding of their business-critical importance are essential for making DevSecOps work in daily practice.
Security by design: the core principle of DevSecOps
A key element of successful DevSecOps processes is the security-by-design approach. This means that IT security is integrated into the development process from the very beginning to eliminate vulnerabilities as early as the architecture and planning stages. Security by Design with DevSecOps includes, for example:
- Reducing the attack surface
- Choosing secure technologies and protocols
- Strict separation of critical and non-critical components
- Automating security checks
- Using AI for security assessment
Reducing the attack surface
Products and their system software should offer as few potential entry points as possible for attackers. The more functions are exposed externally, the more vulnerable a system becomes. That is why systems should be limited to essential, clearly defined features.
Using secure technologies and protocols
Security-critical functions should rely only on proven, well-documented technologies – such as widely accepted encryption and authentication methods. Custom-built solutions are frequently an entry point for security vulnerabilities.
Separating critical and non-critical components
Security risks can be mitigated by spatial, logical or functional separation of system components. This is especially important at the interfaces between critical and non-critical elements.
Using an automated security pipeline
As part of the development process, this pipeline checks both proprietary code and third-party components for known vulnerabilities. It automatically identifies and reports weaknesses to prevent them from reaching production. This also helps speed up development.
Using AI to assess security
Artificial intelligence evaluates the vulnerabilities found and prioritizes them based on relevance. This reduces the workload for development teams, allowing them to focus on the most critical issues. As a result, response times to new threats improve significantly.
Securing digital platforms in mechanical engineering
A manufacturer of extrusion systems is putting this approach into practice. Its customers use a digital platform to retrieve real-time status data from their machines. This data comes directly from live production processes – including temperature curves, rotational speeds and recipe parameters. Such information can reveal detailed insights into operational workflows.
This poses a significant risk to the protection of trade secrets. Potential attackers could exploit this data to replicate production strategies or take advantage of specific process optimizations. The uncontrolled leakage of such information can lead to a substantial loss of competitive edge.
In addition, cyberattacks targeting the platform could disrupt production. For example, overloading a communication interface could block control commands. As a result, the machine would automatically switch to emergency mode, causing downtime and additional costs.
To assess these risks, XITASO analyzed the system architecture and identified and evaluated potential attack vectors. Follow-up measures included securing data communication, implementing a differentiated role and permission management system, and enforcing strict separation of critical functional areas within the architecture. This approach laid the foundation for a sustainable security strategy.
DevSecOps as a continuous change process
A structured DevSecOps approach can overcome current challenges in mechanical engineering. These include increasing connectivity, the protection of trade secrets, the integration of safety-critical functions and compliance with legal requirements. However, this approach is not a one-time implementation that then runs on its own.
DevSecOps is more of a continuous approach that needs to be embedded in existing processes. his enables companies to design their systems securely from within. It affects not only technical processes but also ways of thinking. Developers must be able to factor in security aspects. Organizations need structures to implement this requirement.
XITASO supports this transformation with a broad range of services. These include analyzing existing systems, designing and implementing secure development processes, and integrating security measures into CI/CD pipelines. XITASO also helps companies foster interdisciplinary collaboration between development, IT and management. Those interested in learning more about practical use cases and technical possibilities can schedule an initial consultation with no obligation.
