Newsletter
Contact
Technical support Sales

Call-back service

Project enquiry

Page navigation:

IT security features
You too are a target
Our securities
KRITIS
Cybersecurity
Proof of security
FAQ

IT security features of our industrial routers

  • Firmware update signed and encrypted
  • Support packages encrypted
  • Cryptographic procedures compliant with BSI TR-02102-2
  • Hardened firmware
  • White-list industrial firewall with IP packet and MAC filters
  • No default passwords
  • User/PW, RADIUS or certificate-based authentication
  • X.509 certificates and use of own PKI

The most important IT security
of our products are summarised for you:

IT security measures

YOU are a lucrative target too!

Attacking systems in the first place can have various motives, even if they are not obvious at first glance.

Blackmail: disruption of production processes that is only lifted against payment of money
z. e.g. with the use of ransomware
Industrial espionage: Theft of business-critical information and know-how
Political motivation: attacks on critical infrastructure as part of a “cyber war”
Demonstration of power: inflicting maximum damage without a concrete goal
Demonstration of feasibility: attacks to improve the resilience of systems. Attackers are predominantly friendly and cooperative.

To protect our clients from such attacks, our IT security culture is characterised by the terms “security first”, “security by design” and “update it”:

Attacks against digitalised systems in industry have the most diverse motives. INSYS icom provides corresponding concepts for the greatest possible security.
Even during the development of a new product, the highest value is placed on security against attacks. Regular testing and the exclusive use of ISO27001-certified data centres ensure the necessary IT security even after production.

„Security first“ – security as the basis of our actions

IT security plays a decisive role in every phase of our activities and in every product stage. The following five points form the cornerstones of our work:

  • All components (hardware, firmware and web services) are from a single source and are developed by our specialists in Germany.
  • We regularly have the IT security of our products validated through penetration tests and resistance analyses.
  • Our web services are operated exclusively in ISO27001-certified data centres.
  • We regularly update all security-relevant open source libraries.
  • We consistently use automated software tests on nightly builds with thousands of test cases.
  • Cryptographic procedures conform to BSI TR-02102-2
24/7 monitoring of the services as well as a uniform, encrypted and signed firmware on all devices already ensures the highest IT security during product design.

„Security by Design“ – security from the very beginning

Our products are developed from the very beginning according to the principles of “Security by Design” and “Security by Default”. They are therefore characterised by the following points, among others:

  • Simple configuration of secure authentication procedures
  • Hardened firmware for minimal attack surface
  • Uniform firmware across all devices
  • Encrypted and signed firmware
  • Container applications completely isolated from the firmware
  • Support of always up-to-date encryption standards
  • Automated updates via icom router management or update server
  • Comprehensive 24/7 monitoring of all managed services
Regular updates and immediate reactions to detected security vulnerabilities demonstrate the great emphasis on IT security at INSYS icom.

“Update it” – Our update policy

Every product is only as secure as the updates it receives. Therefore, we at INSYS icom attach great importance to regular updates for our products:

null
icom OS router operating system
  • Min. 6 updates per year
  • Cycle: Every 8 weeks
  • Security patches are available until at least 2030
null
icom Connectivity Suite
  • Continuous updates; on average one update per month
null
icom Router Management
  • Cloud: Continuous updates; on average one update per month
  • onPremises: Continuous updates
null
Vulnerability response & patch management

Deployment of patches for critical vulnerabilities (CVSS 9.0-10.0) immediately after availability
Patching of less critical vulnerabilities to the next scheduled release
Maintenance of a list of security advisories for CVEs (Security Advisories)

At home in critical infrastructures (KRITIS)

Critical infrastructures (CRITIS) are organisations or facilities with important significance for the state community. The requirements for the security of the products and services used there are naturally particularly high and are under constant observation. Our solutions for industrial data communication are ideally equipped to meet these requirements, which is why we are the market leader in Germany in the renewable energy and water/wastewater sectors.

LTE450 for critical infrastructures

In March 2023, INSYS icom launched an LTE450 industrial router series. Exclusively critical infrastructure players can access the fail-safe and nationwide mobile network.

More information about our LTE450 solutions
Due to their importance for the state community, organisations in critical infrastructures have the highest requirements for the security of the products used. INSYS icom solutions are excellently suited for this.

Cybersecurity: protection against digital risks

Cyber attacks are a real threat

Cyber attacks are now among the greatest risks for businesses, public authorities and critical infrastructure. They are targeted, professional and technically sophisticated. The consequences range from data theft and industrial espionage to the deliberate disruption of business-critical processes.

IT security is business-critical

Whether through malware, ransomware or targeted sabotage: cyber attacks disrupt operational processes and jeopardise sensitive data. Those who fail to protect their systems risk downtime, data loss and legal consequences. An effective cybersecurity strategy is a key component of corporate resilience and crucial for ensuring ongoing operations.

Cybersecurity is legally required

The implementation of cybersecurity is no longer mandatory only for providers of critical infrastructure. With the EU Cybersecurity Strategy, a comprehensive framework has been established to effectively address cyber threats and ensure the reliable use of digital technologies.

They are implemented via several binding regulations that affect both providers and manufacturers. INSYS icom fulfils the applicable requirements and supports companies in the secure implementation of legal requirements. Our products are developed according to the ‘Security by Design’ principle, among others, and enable reliable, compliant operation of connected systems.

Overview of regulations

NIS 2

The NIS-2 Directive (Network and Information Security) defines binding requirements for the cyber security of critical infrastructures.

More about NIS2

Radio Equipment Directive (RED)

The extended RED Directive sets out binding cybersecurity requirements for internet-connected radio equipment such as routers and IoT devices.

More about RED

Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) obliges manufacturers of digital products to ensure cyber security throughout the entire product life cycle.

More about CRA

How to keep your systems secure in five steps

With the following five tips, you can ensure that your systems and machines are securely networked:

  • Secure your application in accordance with the IT security guidelines.
  • Install updates as soon as they are available. The best way to do this is to use icom Router Management and subscribe to our release notes.
  • Sensitize your employees to security issues: “Social engineering” plays a major role in 19% of all successful cyber attacks.
  • Ensure that the components and products used are used professionally. This will help you avoid misconfigurations.
  • Select a secure authentication method, e.g. certificate-based authentication with your own CA or a RADIUS server.

Links, certificates and penetration tests

Here you will find material to support you in the KRITIS audit. You will also find an overview of penetration tests carried out as well as documentation and instructions for using INSYS icom products securely.

Links:

Documents:

Certificates:

Penetration Tests:

Products testedTest bodyPeriodStatus/result
icom OSTest by external security companyQ2 2025No critical or high vulnerabilities found.
icom OSCustomer test from the energy and automation technology sectorQ1 2025Vulnerabilities fixed.
icom OSCustomer test from the energy sectorQ1 2025Vulnerabilities fixed.
icom Connectivity SuiteTG AlphaQ1 2025Vulnerabilities fixed.
icom OSBSI / OpenSource Security GmbHQ4 2022Security certificate issued. No vulnerabilities found.
icom Connectivity SuiteCustomer test from the building technology sectorQ3 2021Vulnerabilities fixed.
icom Connectivity SuiteCustomer test from the building automation technology sectorQ2 2021Vulnerabilities fixed.
icom OSOpenSource Security GmbHQ2 2021Vulnerabilities fixed.
icom Connectivity SuiteOpenSource Security GmbHQ2 2021Vulnerabilities fixed.
icom Router ManagementOpenSource Security GmbHQ1 2021Vulnerabilities fixed.
icom OSCustomer test from the energy industry sectorQ1 2021Vulnerabilities fixed.
icom OS
icom Data Suite		T-Systems on behalf of a customerQ4 2019Vulnerabilities fixed.
icom Connectivity Suite
icom OS		Customer test from the passenger transportation sectorQ3 2019"In conclusion, the system examined can be confirmed as having a generally high level of safety."
icom OSCustomer test from the plant engineering sectorQ2 2019Vulnerabilities fixed.

IT Security – Frequently Asked Questions

Is there actually an exact definition of what high IT security means?

IT is very fast-moving and it would be hard to find a standard that considers the complexity of all use cases. Depending on the application, specifications would be over-secure or not secure enough. For this reason, IT security is usually defined relatively and not absolutely. Security organisations and industry associations therefore orient themselves to the state of the art, which is interpreted differently depending on the industry, the use case and also the size of the company. The industry-specific security standards (B3S) define for example, the state of the art for certain sectors. Technical guidelines such as BSI TR-02102 outline the state of the art for the use of cryptographic procedures.

The BSI IT-Grundschutz Compendium offers recognised recommendations for action and is regarded as an established guide to the state of the art in IT security.

May only certified routers be used in critical infrastructures?

There are currently no regulations that prescribe or give preference to the use of certified components in critical infrastructures according to the BSI-KritisV. This may change in the future; in principle, CRITIS operators can use any components today, as long as they can prove compliance with the IT security requirements.

How objective is the proof of high IT security?

IT security can be proven on the one hand by independent penetration tests and on the other hand by state-recognised certificates. If tests and certifications are carried out by an officially recognised testing body, objectivity is guaranteed.

How does one prepare for an IT security audit?

For one thing, you can use the recommendations for the state of the art of the respective industry association or TeleTrust as a guide. We have also compiled a document for you with our recommendations for securing infrastructure. Our INSYS icom training team also offers security consulting as part of the extended support. Please feel free to contact us at: training@insys-icom.de

Contact form for safety instructions

Do you have questions about product IT security? Write a message to our ISB/CISO at security@insys-icom.com or use our secure online form