IT security features of our industrial routers

  • CRITIS compliant; provider with the most installations in critical infrastructure
  • MRX3-LTE router certified according to BSI BSZ for critical infrastructure
  • Firmware update signed and encrypted
  • Support packages encrypted
  • Cryptographic procedures compliant with BSI TR-02102-2
  • Hardened firmware
  • White-list industrial firewall with IP packet and MAC filters
  • No default passwords
  • User/PW, RADIUS or certificate-based authentication
  • X.509 certificates and use of own PKI

The most important IT security
of our products are summarised for you:

YOU are a lucrative target too!

Attacking systems in the first place can have various motives, even if they are not obvious at first glance.

Blackmail: disruption of production processes that is only lifted against payment of money
z. e.g. with the use of ransomware
Industrial espionage: Theft of business-critical information and know-how
Political motivation: attacks on critical infrastructure as part of a “cyber war”
Demonstration of power: inflicting maximum damage without a concrete goal
Demonstration of feasibility: attacks to improve the resilience of systems. Attackers are predominantly friendly and cooperative.

To protect our clients from such attacks, our IT security culture is characterised by the terms “security first”, “security by design” and “update it”:

Attacks against digitalised systems in industry have the most diverse motives. INSYS icom provides corresponding concepts for the greatest possible security.
Even during the development of a new product, the highest value is placed on security against attacks. Regular testing and the exclusive use of ISO27001-certified data centres ensure the necessary IT security even after production.

„Security first“ – security as the basis of our actions

IT security plays a decisive role in every phase of our activities and in every product stage. The following five points form the cornerstones of our work:

  • All components (hardware, firmware and web services) are from a single source and are developed by our specialists in Germany.
  • We regularly have the IT security of our products validated through penetration tests and resistance analyses.
  • Our web services are operated exclusively in ISO27001-certified data centres.
  • We regularly update all security-relevant open source libraries.
  • We consistently use automated software tests on nightly builds with thousands of test cases.
  • Cryptographic procedures conform to BSI TR-02102-2
24/7 monitoring of the services as well as a uniform, encrypted and signed firmware on all devices already ensures the highest IT security during product design.

„Security by Design“ – security from the very beginning

Our products are developed from the very beginning according to the principles of “Security by Design” and “Security by Default”. They are therefore characterised by the following points, among others:

  • Simple configuration of secure authentication procedures
  • Hardened firmware for minimal attack surface
  • Uniform firmware across all devices
  • Encrypted and signed firmware
  • Container applications completely isolated from the firmware
  • Support of always up-to-date encryption standards
  • Automated updates via icom router management or update server
  • Comprehensive 24/7 monitoring of all managed services
Regular updates and immediate reactions to detected security vulnerabilities demonstrate the great emphasis on IT security at INSYS icom.

“Update it” – Our update policy

Every product is only as secure as the updates it receives. Therefore, we at INSYS icom attach great importance to regular updates for our products:

icom OS router operating system
  • Min. 6 updates per year
  • Cycle: Every 8 weeks
  • Security patches are available until at least 2030
icom Connectivity Suite
  • Continuous updates; on average one update per month
icom Router Management
  • Cloud: Continuous updates; on average one update per month
  • onPremises: Continuous updates
Vulnerability response & patch management

Deployment of patches for critical vulnerabilities (CVSS 9.0-10.0) immediately after availability
Patching of less critical vulnerabilities to the next scheduled release
Maintenance of a list of security advisories for CVEs (Security Advisories)

At home in critical infrastructures (KRITIS)

Critical infrastructures (CRITIS) are organisations or facilities with important significance for the state community. The requirements for the security of the products and services used there are naturally particularly high and are under constant observation. Our solutions for industrial data communication are ideally equipped to meet these requirements, which is why we are the market leader in Germany in the renewable energy and water/wastewater sectors.

LTE450 for critical infrastructures

In March 2023, INSYS icom launched an LTE450 industrial router series. Exclusively critical infrastructure players can access the fail-safe and nationwide mobile network.

Due to their importance for the state community, organisations in critical infrastructures have the highest requirements for the security of the products used. INSYS icom solutions are excellently suited for this.

Regulation of critical infrastructures

Critical infrastructure legislation aims to increase the level of IT security of information technology systems in sectors considered particularly relevant to the maintenance of public order.

The regulation is subject to constant further development. Currently, the IT Security Act 2.0 is in force with the KRITIS Ordinance of 2023.

The BSI-KritisV defines threshold values for operators and systems from which a KRITIS obligation exists. The lists of threshold values for the respective sectors can be found here

If a KRITIS obligation exists, appropriate organisational and technical security measures are required to prevent disruptions to your information technology systems, components and processes.
When implementing the measures, reference is made to the state of the art. For various sectors, there are sector-specific security standards (B3S) that define the state of the art in the respective sector. Further information on the B3S can be found here or from your industry association.

Outlook NIS2 Directive:

With the IT Security Act 3.0, which is currently in preparation, the requirements of NIS2 will be transferred from EU level to national law. This will probably result in an extension of the CRITIS obligation to further companies in the affected sectors. In its current version, NIS2 defines all companies as having a CRITIS obligation if they employ >50 employees and generate >10 million euros in revenue.
It is likely that the German legislator will not follow this definition in its entirety and will propose a combination that retains the current threshold values for CRITIS systems.

INSYS icom always strives to be up to date with the latest regulations and technology. In our catalogue of measures, we also summarise all technical and organisational measures for our products that support you during auditing. We are always available to answer any questions you may have…

How to keep your facilities safe in five steps

With the following five tips, you can ensure that your plants and machines are securely networked:

  • Secure your application according to the IT security guide.
  • Install updates as soon as they are available. The best way to do this is to use icom Router Management and subscribe to our release notes.
  • Make your employees aware of security issues: “Social engineering” plays a major role in 19% of all successful cyber attacks.
  • Ensure that components and products are used professionally. This will help you avoid misconfigurations.
  • Choose a secure authentication procedure, e.g. a certificate-based authentication with your own CA or a RADIUS server.

Links, certificates and penetration tests

Here you will find material to support you in the KRITIS audit. You will also find an overview of penetration tests carried out as well as documentation and instructions for using INSYS icom products securely.

Penetration Tests:

Products testedTest bodyPeriodStatus/result
icom OSBSI / OpenSource Security GmbHQ4 2022Security certificate issued. No vulnerabilities found.
icom Connectivity ServiceCustomer test from the building services engineeringQ3 2021Weak points corrected.
icom Connectivity ServiceCustomer test from thebuilding automationQ2 2021Weak points corrected.
icom OSOpenSource Security GmbHQ2 2021Weak points corrected.
icom Connectivity ServiceOpenSource Security GmbHQ2 2021Weak points corrected.
icom Router ManagementOpenSource Security GmbHQ1 2021Weak points corrected.
icom OSCustomer test from the energy sectorQ1 2021Weak points corrected.
icom OS
icom Data Suite
T-Systems on behalf of a customerQ4 2019Weak points corrected.
icom Connectivity Service
icom OS
Secunet on behalf of a customer from public transport Q3 2019"In conclusion, the system examined can be confirmed as having a generally high level of safety."
icom OSCustomer test from plant engineeringQ2 2019Weak points corrected.

IT Security – Frequently Asked Questions

Is there actually an exact definition of what high IT security means?

IT is very fast-moving and it would be hard to find a standard that considers the complexity of all use cases. Depending on the application, specifications would be over-secure or not secure enough. For this reason, IT security is usually defined relatively and not absolutely. Security organisations and industry associations therefore orient themselves to the state of the art, which is interpreted differently depending on the industry, the use case and also the size of the company. The industry-specific security standards (B3S) define for example, the state of the art for certain sectors. Technical guidelines such as BSI TR-02102 outline the state of the art for the use of cryptographic procedures.

The handout on the “state of the art” from TeleTrust (Bundesverband der IT-Sicherheit e.V.) offers recommendations for action and orientation on the “state of the art”.

May only certified routers be used in critical infrastructures?

There are currently no regulations that prescribe or give preference to the use of certified components in critical infrastructures according to the BSI-KritisV. This may change in the future; in principle, CRITIS operators can use any components today, as long as they can prove compliance with the IT security requirements.

How objective is the proof of high IT security?

IT security can be proven on the one hand by independent penetration tests and on the other hand by state-recognised certificates. If tests and certifications are carried out by an officially recognised testing body, objectivity is guaranteed.

How does one prepare for an IT security audit?

For one thing, you can use the recommendations for the state of the art of the respective industry association or TeleTrust as a guide. We have also compiled a document for you with our recommendations for securing infrastructure. Our INSYS icom training team also offers security consulting as part of the extended support. Please feel free to contact us at:

Contact form for safety instructions

Do you have questions about product IT security? Write a message to our ISB/CISO at or use our secure online form