Andreas Harner, Head of CERT@VDE and DKE Cybersecurity
| VDECritical infrastructure must become more resilient to cyberattacks in light of new threat scenarios. What role does CERT@VDE play in this?
Andreas Harner: At CERT@VDE, our core focus is supporting industrial partners with what we call advisory handling – meaning the management of vulnerabilities in their products. This topic has long been central to cybersecurity and is becoming even more important with the EU Cyber Resilience Act (CRA). This new regulation obliges all manufacturers of products with digital elements to inform users about known vulnerabilities. It affects almost every sector across Europe. A key change is that cybersecurity requirements will now become part of the CE marking. In other words, anyone who wants to sell or place products on the European market must comply with the CRA. We also support industry in developing “Harmonized European Standards,” which will help companies declare conformity with the CRA.
And this CE marking is also relevant for operators of critical infrastructure?
Absolutely. Critical infrastructure is subject to the so-called NIS Directive. It targets operators – for example in energy supply or transportation – and with NIS-2 now includes many additional companies, such as those in manufacturing. To fulfill their obligations, operators need products that support the security requirements of the directive. This is where the CE marking comes in: it ensures that products meet defined cybersecurity standards. For operators of critical infrastructure, that’s essential – their systems must be reliable and secure. If a vulnerability is discovered later, the manufacturer is required to inform operators. The CRA therefore creates a clear link between manufacturers and operators and extends security across the entire digital supply chain in a meaningful way.
What roles do VDE and DKE play in implementing these new requirements?
One important point is that the CRA does not specify every technical detail in the law itself. Instead, it follows the New Legislative Framework, which provides a regulatory outline. The concrete technical requirements are delegated to European standardization organizations. This is where DKE comes in: it is responsible for creating the appropriate standards that translate legal requirements into technical specifications. That is a major challenge – not only for the German and European industry, but globally. Anyone wishing to import products into Europe will have to meet these requirements. VDE and DKE therefore play a key role in making EU regulations practically implementable while ensuring international compatibility.
That sounds like a lot of work for industry. How are companies reacting?
It is certainly an effort – but a necessary one. Internationally, our products and companies are increasingly targeted by attackers, and we must protect ourselves across the entire supply chain. It’s like driving a car: as a driver, you’re responsible for others on the road. In the same way, every actor in the supply chain must consider the others. The CRA ensures fairness, because everyone must meet the same security requirements. Security is no longer optional. This is crucial for long-term global competitiveness.
Still, many companies do not take the threat seriously. Why?
Because the threat often feels too abstract. When you tell a CEO that the risk is growing, he might say, “I don’t notice anything.” But data may already have been stolen – designs, patents, product ideas. Often, companies only realize this when a near-identical product appears at a trade fair. These attacks remain invisible because attackers quietly use the stolen knowledge. That makes the issue so difficult. Many companies do not perceive the threat because they do not feel the impact directly. Only few can perform proper risk analyses that clearly show the dangers and potential consequences. Talking about threats is not enough – you need a concrete risk assessment and specific mitigation measures.
How does VDE@CERT support industry in practice?
Every software product contains vulnerabilities – given today’s complexity, that is unavoidable. Many manufacturers use hundreds or thousands of components – many of them purchased. The task is to detect vulnerable components as early as possible. This is exactly what VDE@CERT helps with. We collect vulnerability information and make it available to our industrial partners. When a vulnerability is discovered – by our partners, researchers, operators or other experts – we initiate the “coordinated vulnerability disclosure process”. We then analyze which versions are affected, how critical the vulnerability is, and what measures are required. That may be a software patch, or a temporary workaround such as isolating the system until a fix is available. The crucial point is that we communicate this information clearly and in a structured manner. VDE@CERT ensures that advisories are produced – documents that tell operators exactly what to do. This enables manufacturers to inform customers worldwide and close security gaps before they can be exploited.
What kinds of companies rely on VDE@CERT?
Currently around 60 companies, many of them large, internationally active manufacturers with combined annual revenues exceeding €80 billion. Their products are used across numerous sectors, including critical infrastructure – water and energy supply, chemical parks, or offshore platforms. A platform might use sensors from Pepperl+Fuchs, controllers from Phoenix Contact, or displays from Beckhoff Automation. This diversity makes cybersecurity extremely demanding. In classic IT, devices are relatively standardized. In Operational Technology (OT) – where physical processes are controlled – every system is different.
And VDE focuses specifically on OT security?
Exactly. We deal exclusively with OT security – the safety of systems that control or monitor physical processes: energy grids, production facilities, chemical plants, water utilities. Of course, these environments also contain IT components. But what matters most are the systems that control machines and processes in real time.
And this interface between IT and OT is what modern cybersecurity is about?
Correct – and it is often overlooked. The cyber domain now includes far more than office computers or data centers. It includes networked hospitals, manufacturing systems, energy and water networks – everywhere IT and OT converge. That’s why we speak of cybersecurity, not just IT security.
If you had to name one core message – what should be better understood in public debate?
That everyone is part of a supply chain – and therefore part of the responsibility for cybersecurity. For a long time, many believed responsibility could simply be passed on: “I just integrate components; someone else will take care of security.” That won’t work anymore. The new regulations make it clear: everyone must contribute. Previously, operators were often left alone, trying to secure a mix of insecure products. If all parties now contribute, things become easier. It won’t solve everything, but it creates a shared foundation – for example, that encrypted communication should be standard today.
And what does this mean for companies in concrete terms?
Companies need to build competence. Too much security can make a product unnecessarily expensive; too little can become far more costly in the event of an incident. It’s about assessing risk realistically: How critical is my product? Where is it used? How much security is truly necessary? A temperature sensor monitoring fuel rods in a nuclear power plant requires a different security level than the same sensor used in a hobby weather station. You need the right level – based on knowledge, risk assessment, and technical understanding. Only then can security be both effective and economically viable.
