AI-based security engineering for industrial products – support for small and medium-sized enterprises under the Cyber Resilience Act

Lemgo. Machines, control systems, and networked industrial products are increasingly becoming the target of cyberattacks. At the same time, the regulatory framework is becoming more stringent: With the European Cyber Resilience Act (CRA) and standards such as IEC 62443, manufacturers must prove that their products are adequately protected throughout their entire life cycle. Many small and medium-sized enterprises (SMEs) are thus facing a double challenge: Their products are often not up to date with the latest security standards, suitable processes are lacking within the company, and specialized security expertise is rare.

This is exactly where the “SRAG” research project of the Fraunhofer Institute IOSB-INA in Lemgo comes in. The project team is developing AI-based building blocks for modern security engineering, i.e. methods, processes, and tools that can be used to develop IT and OT systems that are “secure by design” from the outset. These include secure software development, defense and analysis tools against attacks, and a structured security process across all phases – from conception to operation.

An AI-supported gap analysis is a key component of this process: based on the current status of products and business processes, the system automatically compares which requirements from the Cyber Resilience Act and standards such as IEC 62443 are already met – and where specific gaps exist. In addition, other components are being researched, such as support for the design of network segments and zones, firewalls, and identity and access management. Instead of “the one” approach, this results in a flexible modular system that can be combined depending on the company's initial situation.

Another component of SRAG is the AI-supported threat modeling and risk analysis. Based on product architectures, communication paths, and user roles, the AI identifies typical attack vectors and assesses risks. It suggests appropriate countermeasures - such as hardening industrial control systems, using IDS/IPS, encryption, or endpoint security. In this process, security engineers remain in control: the AI provides suggestions that are reviewed and adapted by experts and then implemented in security architectures, penetration tests, and code audits.

A particularly important aspect for medium-sized industrial companies is the protection of sensitive data. The AI modules developed in the SRAG project are designed to run locally within the company—for example, directly in the development network or in a secure data center. This means that internal design data, network plans, or log files do not have to be uploaded to an external cloud. Companies retain control over their data and can still use modern AI processes for security engineering, monitoring, and incident response.

With AI-based security engineering, Fraunhofer IOSB-INA aims to enable small and medium-sized enterprises in particular to develop standard-compliant and resilient industrial products – without having to hire external teams of specialists for every issue. The SRAG project is thus contributing significantly to making industrial value creation in Germany and Europe future-proof and cyber-resilient.