Cybersecurity by Design for Operational Technology (OT) Systems

Cybersecurity risk assessment and standards

Industrial Cyber‑Physical Systems (ICPS) and their Operational Technology (OT) software are moving from best practice to clear regulatory duties in cybersecurity risk assessment. The EU Cyber Resilience Act (CRA) will require documented, lifecycle‑oriented cybersecurity risk assessments for many products with digital elements, including control and automation components. At the same time, standards such as IEC 62443 and the emerging prEN 50742 call for consistent and auditable security and safety practices across industrial systems.

For manufacturers and integrators, this means that “good practice” is no longer enough. Risk assessments must become repeatable, traceable and justifiable against concrete criteria, from threat identification and mitigation, through to residual risk and evidence. OT components like PLCs, HMIs and drives need to be assessed not only for functional safety but also for software‑centric cyber risks such as insecure firmware updates, weak authentication and protocol flaws

EmbSoftOTBench benchmark

As part of our ongoing R&D work at innotec in this direction, our recent work introduces EmbSoftOTBench, a standards‑aligned benchmark that implements IEC 62443‑3‑2 and MITRE EMB3D into machine‑readable scenarios for OT devices. Each scenario encodes threat and mitigated variants, ILVE factors (Impact, Likelihood, Vulnerability, Exposure) and categorical risk, enabling reproducible evaluation of cybersecurity risk reasoning rather than ad‑hoc judgment. In total, 374 OT software scenarios for PLCs, HMIs and drives are provided, with expert rationales and provenance in a transparent JSON format. This helps link upcoming CRA obligations and EN 50742 expectations with concrete, testable artefacts for industrial software security.

If you are interested in the technical details, you can find them in the paper “Empirical Evaluation of AI-Assisted Risk Reasoning for ICPS Software Security”, accepted in IEEE Transactions on Industrial Cyber‑Physical Systems (DOI: 10.1109/TICPS.2026.3669084). In this study, four contemporary LLM families were evaluated on 374 IEC 62443‑3‑2–aligned OT software scenarios from EmbSoftOTBench open dataset. It was observed that, while more structured and auditable workflows can be supported, overall threat/benign classification accuracy remained close to chance across devices and prompts. Based on these results, LLMs should currently be treated as assistive tools within conservative, standards‑based processes rather than as autonomous decision‑makers for OT cybersecurity risk.

For collaboration on these topics and related R&D activities around CRA, IEC 62443, prEN 50742 and OT security, pelase get in touch with us innotec GmbH-TÜV Austria Group or also contact Dr. Padma Iyenghar, R&D Manager and Senior Functional Safety and Cybersecurity Consultant at innotec GmbH-TÜV Austria Group for a discussion.