banner ad
Event Calendar Event List It's Showtime!
Online Flipbook Archives Breaking News Advisory Board Street Smarts Legacy HTML
Banner Ads Skyscraper Ads Paperless Ads Forum Ads
Maverick Payments bluu Fluid Pay Inc North
Dashboard Ad Specifications Production Dates Rate Card
News From the Wire

16:17:54 (UTC) 06-05-2025

U.S. SMBs say payment innovation is key driver of growth

16:16:25 (UTC) 06-05-2025

Morrisons Daily, NCR Atleos, to further expand self-service cash access

21:42:04 (UTC) 06-04-2025

Quantifind to strengthen Dime Community Bank's payments sanctions screening

21:34:46 (UTC) 06-04-2025

Inaugural Finance Summit from highlights real-world blockchain innovation

21:26:20 (UTC) 06-04-2025

Alkami updates 2025 Retail Digital Sales & Service Maturity Model

21:21:35 (UTC) 06-04-2025

Merchant Focus appoints Travis Jordan as President

16:17:10 (UTC) 06-04-2025

Global Payments, Sage launch embedded vendor payments solution

16:12:11 (UTC) 06-04-2025

Tyfone, AFS partner to deliver fraud detection software

News from the Wire

#1 cyber threat: software supply chain attacks targeting industry

Tuesday, June 03, 2025 — 17:15:21 (UTC)

Düsseldorf, 3 June 2025 – The German industrial sector is experiencing an increasing number of cyberattacks targeting smart, embedded systems through the software supply chain. These attacks often infiltrate systems through third-party components, software libraries, or compromised firmware updates. Düsseldorf-based cybersecurity firm ONEKEY, which operates the Product Cybersecurity & Compliance Platform (OCP) for automated analysis of embedded system software, is drawing attention to this increasing threat.

This form of cybercrime exploits security vulnerabilities in the supply chain, from suppliers and service providers to software providers, to target companies and end customers further down the chain. Industrial plants, machine control systems (also known as OT systems, or operational technology), Internet of Things (IoT) components and other embedded systems are particularly affected. These systems typically have long operating cycles and are rarely analyzed, monitored or updated in a security-critical manner. “There is an acute need for action here,” said ONEKEY CEO Jan Wendenburg, addressing the industry. He explained: “Cybersecurity must encompass the entire value chain in order to be effective.”

In a recent study, the market research company Cybersecurity Ventures estimated that supply chain attacks cause $80 billion worth of damage worldwide each year. “The complexity of global supply chains exacerbates the problem,” said Jan Wendenburg. He referred to a report by the European Union Agency for Cybersecurity (ENISA), which states that two thirds of companies in the EU have been affected by compromised suppliers at least once. ENISA identifies supply chain attacks as one of the top five threats to industrial IT and OT systems, and are identified as the number one cybersecurity threat in its “ENISA Foresight 2023 Report”.

Every Precursor Can Become a Risk

The German economy has traditionally been highly internationalized. The value of intermediate goods imported by German industry from around the world and incorporated into its products amounts to around 370 billion US dollars. These imports of intermediate goods are of central importance to production in Germany. Jan Wendenburg outlined the scale of the threat: “Every piece of software used, and every intermediate product equipped with networked digital technology poses a potential threat.”

The major threat posed by supply chain attacks is that, once a company has been infected with malware, the malware is also passed on to customers via product deliveries. For example, a machine manufacturer could supply its customers with systems containing industrial control units that are infected with malware. This malicious code could enter the supply chain in two ways: either as software incorporated into the product development process, or as part of the initial product installed in the final product.

Demand for Security Assessments Is on the Rise

“This trend is alarming, as the supply chains of German industry are highly networked, meaning a single attack could have far-reaching consequences,” explained Jan Wendenburg. He added: “Embedded systems used in control technology, automation or IoT devices should therefore undergo a comprehensive cybersecurity check.” This applies to all components, including those purchased from suppliers, not just those developed in-house.

According to ONEKEY, there has been a significant increase in demand for security checks of devices, equipment and systems with real-time operating systems (RTOS), which are commonly found in embedded systems. Just a few months ago, the Düsseldorf-based cybersecurity company enhanced its Product Cybersecurity & Compliance Platform (OCP) to analyze RTOS firmware for vulnerabilities and security flaws. This marks a significant breakthrough, as scanning monolithic binary files—commonly used in real-time operating systems such as FreeRTOS, Zephyr OS, and ThreadX—was previously considered extremely difficult, if not impossible, within the industry.

Open Source Security and the Lessons of Log4Shell

Open-source components, which are included in around 80 per cent of all firmware stacks for embedded systems and are therefore considered a particularly critical point of vulnerability in the supply chain. Vulnerabilities in popular libraries such as uClibc, BusyBox and OpenSSL can affect many systems simultaneously. The Log4Shell case in 2021 – a vulnerability in the popular Java library Log4j – demonstrated the potential consequences of an insecure software component, even when used in a single subsystem. Log4Shell is considered one of the most serious security vulnerabilities in recent decades, given that the software is used in millions of Java applications, including tens of thousands of OT and IoT systems.

“The increasing complexity of industrial systems, the large number of external providers, and the long-term use of embedded systems mean that supply chain attacks are becoming an ever-greater threat,” said Jan Wendenburg. He referred to forecasts by the Gartner Group suggesting that, by 2026, more than 45 per cent of all companies will suffer at least one cyber incident via the supply chain affecting their ability to operate.

Much Is at Stake: Production, Reputation, and Delivery Capability

“The ever-increasing integration of industrial IoT systems and robotics, right through to autonomous production lines, is virtually opening the floodgates to supply chain attacks,” explained Jan Wendenburg. He appealed to company management, saying, “It is high time to systematically check the security risks of software for embedded systems, regardless of whether it is developed in-house or by suppliers, before and after implementation. Those who fail to do so are jeopardizing not only their production, but also their reputation and their ability to deliver.”

There is also a legal aspect to consider: The Radio Equipment Directive EN 18031, the EU Cyber Resilience Act (CRA) and other legal requirements mean that manufacturers must take responsibility for the cybersecurity of networked devices, machines and systems. ONEKEY's Product Cybersecurity & Compliance Platform (OCP) uses the Compliance Wizard to enable automated verification of conformity with the CRA and other relevant cybersecurity standards. This makes it much easier to prepare for audits and reduces the bureaucratic effort required by new laws.

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes - without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.

Further information: ONEKEY GmbH, Sara Fortmann, Email: sara.fortmann@onekey.com, Kaiserswerther Str. 45, 40477 Düsseldorf, Germany, Web: www.onekey.com

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: Reports and research

skyscraper ad
  • Home
  • Forums
  • Emagazine
  • Flipbook
  • News From the Wire
  • Breaking News
  • Ad Page
  • Podcasts
  • Calendar of Events
  • Community Voices
  • Resource Guide
  • Advisory Board

    • © 1983-2025 The Green Sheet, Inc.