Cyber resilience among German industrial companies has improved – but according to a VDMA study, it’s far too early for complacency. Threats such as social engineering and phishing continue to escalate.

The number of cyberattacks targeting German machinery and plant engineering firms has risen sharply since the VDMA’s last study in 2019. Yet only 55 percent of companies in this industrial sector now report negative impacts – a dramatic drop of nearly 70 percentage points. Apparently, many of the 75 surveyed industrial enterprises – each with more than 250 employees – have stepped up their efforts, developing robust internal cybersecurity strategies.

Significant Action Still Required Among SMEs

The study reveals a clear trend toward greater cyber resilience across the mechanical and plant engineering sector. However, it highlights a particularly pressing need for further action among smaller companies. “Of course, these results represent progress – but they’re no reason to relax our vigilance. Small and medium-sized enterprises (SMEs), in particular, require targeted support,” stresses Maximilian Moser, Security Expert at VDMA Software and Digitalisation.

As IT-Business quotes from the study, most industrial firms – regardless of size – currently assess the threat landscape as “moderate”. The highest perceived risk lies in social engineering and phishing, scoring 3.4 on a scale of 0 to 5, followed by “human error and sabotage” (3.2) and “software and hardware vulnerabilities in the supply chain” (3.1).

This underscores that the human factor remains a critical vulnerability – and is moving even further into focus. Accordingly, the VDMA recommends tailored training programmes for production environments, specifically in security awareness building and security policy implementation, to “educate employees about threats and sensitise them to appropriate behaviour”.

Although two-thirds of companies are already affected by stricter regulatory requirements – including the EU’s Cyber Resilience Act (CRA) and the NIS2 Directive – these obligations remain insufficiently known and understood among SMEs. As a result, many are inadequately prepared: 30 percent of SMEs don’t even know whether the regulations apply to them. In Germany, the best-known IT security standards are BSI (Federal Office for Information Security) IT-Grundschutz and ISO standards.

Greater Internal Responsibility – Fewer External Providers

Most industrial companies now manage their IT and OT security in-house. Eighty-eight percent of surveyed companies rely on internal staff, while only 12 percent still engage external service providers. Progress is especially evident in production environments, according to the VDMA (German Engineering Federation): 61 percent of respondents have already implemented an internal risk management framework – up from 41 percent in 2019. Nine out of ten respondents (89 percent) expect the number of cybersecurity incidents affecting their organisations to remain stable or increase over the next few years.

However, only 45 percent of survey participants report negative impacts on their own company – down significantly from 72 percent in 2019. Not captured in the data is the grey zone of unreported incidents, where companies withhold disclosure due to concerns about reputational damage.

Both organisational and technical security measures in focus

Among the top five organisational security measures, policies governing remote maintenance access for internal staff and external parties rank highest – cited by 88% and 84% of respondents, respectively. Also prominent are policies on the use of mobile storage devices (69%) and on access rights to machinery and industrial systems (27%). The latter category includes rules governing external service personnel’s use of third-party devices such as PCs or smartphones.

Among technically implemented measures, network segmentation between office and production networks – and monitoring of those network boundaries – each appear at 68%. Close behind, at 67%, is monitoring of network connections between branch offices and the central control room. Machine and system isolation (“air gapping”) currently plays a comparatively minor role, cited by just 48% of companies – but a further 20% have it planned. Transparency in communication has been implemented by 36% of companies, with another 27% still in the planning phase. The gap widens further regarding legacy application upgrades (protocols, interfaces, and technologies): 34% have already initiated such upgrades, while 36% are still preparing them.

All these figures demonstrate that German industry has already made significant progress toward greater cyber resilience – but cannot afford to ease its efforts amid an ever-growing threat landscape. Instead, stakeholders must now consistently build upon the current security baseline, while also bringing less-digitised operational areas and smaller enterprises more fully into the fold. Sustained protection against increasingly sophisticated cyberattacks can only be achieved through continuous investment – not just in technology and processes, but above all in training employees.