Industry experts discuss equipment cybersecurity at Bauma 2025

The panelists at the cybersecurity roundtable (L-R): Marcus Hiemer, ZF Group; Johannes Hipp, VDMA; Roman Hofmann, Liebherr; Chris Sleight, Off-Highway Research; Laura Fiumara, CECE. (Image: KHL Group)

Ours is an era in which it’s hard to find a time we are not connected to the internet. Virtually every desk in every workplace has a networked computer, every pocket carries a smartphone and myriad hands fiddle endlessly with tablets.

Such connectivity has also extended to machines. Dubbed the Internet of Things (IoT), it’s what makes it possible for a piece of equipment to notify an operator of a potential fault condition or for an OEM to deploy a wireless firmware upgrade that unlocks new functionality.

This interconnectedness also makes it easy for unscrupulous bad actors to electronically hijack data — and even the equipment itself.

“Today, we are dealing with a lot of data connected with each other,” said Marcus Hiemer, senior manager, Electronics Off-Highway for ZF Group. “So, it is important to secure the data and then, in particular, the confidentiality, the availability and the integrity of the data.”

Hiemer’s remarks came at a cybersecurity panel discussion at the ZF booth during Bauma 2025. Moderated by Julian Buckley, editor of Power Progress International, Hiemer was joined by several other industry experts:

• Laura Fiumara, digital policy manager, Committee for European Construction Equipment (CECE)
• Johannes Hipp, technical spokesperson, VDMA
• Roman Hofmann, product security officer, Liebherr
• Chris Sleight, managing director, Off-Highway Research

Understanding the Situation

Fiumara spoke about the current cybersecurity threats to equipment.

“I can just say that based on the expertise shared by our members — we represent all manufacturers of construction machinery — the number of cyber-attacks in our industry remains limited at the moment,” she said. However, Fiumara added that the increase in the number of connected machines on the market coupled with increased awareness of cybersecurity among CECE members has led the industry to take action to address potential security threats.

The number of connected devices — albeit not limited to off-highway machinery — is not small. A 2024 study published in the Journal of Science and Technology Policy Management cited a Statista report that said by 2030 there will be about 50 billion IoT devices connected worldwide.

“There’s a lot of malware,” Hofmann added. “It’s automating. There are malware bots around, and nobody can know if your service engineer who’s working on the machine has an infected PC or laptop with service software on it [that delivers] malware on the machine itself.”

According to Hiemer, cybersecurity is an issue that must be addressed across the entire supply chain.

“If we produce an ECU, for example, we have to take care that it is not tampered [with] while it is delivered to the next [stop] in the supply chain,” he said. “So, it’s all about getting all processes managed.”

Regulations and Standards

According to Hipp, the regulatory environment in Europe will soon address IoT cybersecurity.

“At the end of December 2027, everybody has to fulfill the Cyber Resilience Act (CRA) in Europe,” he said. “This regulation handles every product with digital elements. So, every product, from a supplier to your machine — the whole machine — has to fulfill the cyber resiliency.”

Image: vectorfusionart via Adobe Stock

Fiumara added that many manufacturers are waiting for standards development under the CRA. “Under this new regulation, cybersecurity is meant, by design and by default, that all the components and elements of a machine should be designed [from] the design phase [as] cyber-resilient.”

However, there is another regulation that is already taking steps to address cybersecurity, particularly as it concerns telematics: the Radio Equipment Directive (RED). Hofmann described it as “the first step for having some cybersecurity emerge” for the market.

According to an overview of the RED cybersecurity requirements on the TÜV SÜD website, additional provisions to RED were introduced in January 2022. They include enhanded network, personal data protection and fraud protection. These requirements become effective this year on Aug. 1.

“There are standards already available for the Radio Equipment Directive addressing all the radio equipment products and elements,” Fiumara said. “This would be the first step for the implementation of the CRA — also in combination with the machinery regulation, which addresses particularly [in] our sector machinery.”

According to Hiemer, there are other standardization activities occurring to address cybersecurity.

“We are working on an off-highway ISO standard for cybersecurity,” he said, referring to ISO 24882. “At ZF, we are developing our new controller according to that standard, as well.”

Hiemer explained that while ZF’s EC5 controller was developed before stricter cybersecurity protocols were in place, the unit now complies with the proposed cybersecurity standard while keeping the same form factor.

Beyond Europe

While the aforementioned regulations reflect European cybersecurity legislation, the panel discussed the potential for similar legislation in other regions of the world. Sleight saw that proliferation as a challenge for OEMs.

“There’s a United Nations study that found that 80 percent of the countries of the world have some sort of cybersecurity legislation, and a further 5 percent or so are developing them,” he said. “And that is a worry, because we’ve seen this in other aspects of product conformity — that there’s a general direction of travel. We’ve seen it with engine emissions. But when things aren’t harmonized, it adds a lot of headaches and a lot of costs.”

Sleight said that even if regulations around the world are functionally similar, the certification requirements for sale in different geographic regions could be onerous.

“I think that’s one of the big concerns in the industry around cybersecurity — does the industry have to do it over and over again in multiple blocks and multiple areas, even with ISO and SAE standards?”

Obligations for Users

The panel suggested that users have a role to play in cybersecurity, as well.

“There will be a kind of education process for the industry,” Sleight said. “The products will be cyber-resilient, and that’s what the customers will use, but I think there will be some responsibility on them to understand what’s good cybersecurity practice and what’s risky behavior.”

While the panel said that it will be incumbent upon OEMs to provide cybersecurity updates to machines over their effective life, it will be up to end users whether they choose to implement those updates.