OT Security

Mansfeld-Südharz, Germany - November 19, 2025

Keeping pumps, crackers and conveyors in rhythm while packet inspectors learn their cycle times

The first thing you notice inside the control room of the Wolfen wastewater plant is the quiet. Pump curves glide across the screen in perfect sine waves, chlorine residuals adjust by fractions of a part per million, and every fifteen minutes a small grey box labelled “CRA-OT-Shield” emits a soft click as it rotates the outbound TLS certificate. Nothing here looks like cyber security; it looks like hydrology set to music. That is exactly the point. When we began mapping the county’s critical infrastructure for the Cyber Resilience Alliance, we discovered forty-two programmable-logic controllers scattered across three sectors—water, chemicals and energy—that had never been asked to speak anything except Modbus RTU and that had never once been patched without a maintenance window measured in single-digit hours. Convincing plant managers to insert a scanning layer between those controllers and their SCADA servers required a design philosophy that treats latency as a safety parameter and downtime as an environmental hazard. The result is an architecture that does not harden the plant; it hardens the conversation around the plant, leaving every relay, valve and variable-frequency drive free to continue its decades-old cadence while an adjacent stream of mirrored traffic learns what normality smells like.

The reference plant is a 1960s lime kiln on the edge of the former Buna complex, still producing 600 tonnes of calcium oxide per day. Its Schneider Electric M340 PLC cycles every 100 milliseconds; a single missed response triggers an automatic shut-down that takes 36 hours to restart because the kiln must cool below 150 °C before human entry. Traditional IT security tools—signature-based antivirus, agent-based EDR, even routine Windows updates—were incompatible with that tempo. Instead, we built a passive optical tap that splits the copper path between PLC and SCADA, copies the entire Modbus frame into a field-programmable gate array and forwards the original bits with a delay measured in nanoseconds. The copy is pumped into a sandbox that runs the Alliance’s industrial-protocol parser, a piece of code trained on 400 000 hours of telemetry donated by regional plants and labelled by retired shift engineers who can tell the difference between a conveyor stutter and a cyber probe by the cadence of the current draw. If the parser detects an anomaly—say, a coil-write command that attempts to set the kiln ID to zero—the grey box severs only the supervisory channel, leaving the PLC to fall back to its local HMI while plant engineers receive a pager message written in plain German that cites the exact rung of ladder logic under suspicion. During the first 180 days of operation the kiln recorded zero unplanned stops attributable to the security layer, a statistic that persuaded three neighbouring plants to adopt the same sensor without waiting for board approval.

Chemical facilities introduced a different constraint: explosiveness. The chlorine-packaging hall at the Bitterfeld site is Zone 2 ATEX, meaning any device that draws more than 5 watts or sparks at 1.3 megahertz must live inside a pressurised stainless-steel enclosure that costs more than the server it protects. Rather than ruggedising every component, we moved analysis to the edge of the hazardous zone and transmitted only optical pulses. A pair of armoured fibre cables carry mirrored traffic to a small data cabinet located thirty metres away in a safe area; the cabinet consumes 18 watts and is certified for minus 25 °C, so it needs neither HVAC nor hot-work permits. The single-board computer inside runs the same parser as the lime kiln but with an additional ruleset that understands the semantics of HART IP commands used by the plant’s Coriolis flow meters. An attacker attempting to spoof a mass-flow reading would have to craft a packet that passes both cryptographic authentication and physical plausibility checks derived from the temperature and pressure sensors on the same pipeline. The dual-layer filter has already caught two penetration-testers who thought they could bypass security by injecting forged sensor data; both attempts were blocked before the packet reached the operator console, and the only visible side-effect was a brief yellow halo on the SCADA mimic that vanished once the ruleset auto-updated itself.

Water utilities presented yet another rhythm. The Schkopau district heating network circulates 1 200 cubic metres of hot water per hour through 48 kilometres of pipes; the pumps are driven by Allen-Bradley drives that speak EtherNet/IP but expect a heartbeat every 75 milliseconds. Missing two consecutive heartbeats causes the drive to drop to safe mode, reducing flow by 60 % and forcing the utility to fire up its gas peakers at a cost of 12 000 € per day. Here the Alliance’s answer was not passive tapping but deterministic proxying: a ruggedised industrial computer that terminates TCP on behalf of the drive and re-issues the heartbeat if the supervisory layer fails to respond within 50 milliseconds. The proxy also buffers firmware images, so patches can be pre-validated on an offline twin before being committed to the live drive. The first firmware update cycle took 22 minutes—exactly the time needed for the utility to switch from summer to winter pressure curves—demonstrating that security maintenance can be scheduled like any other seasonal adjustment rather than treated as an emergency outage. Since the proxy was installed, the network has logged 99.997 % uptime, a figure that includes two scheduled maintenance windows and one thunderstorm that knocked out the primary uplink; the pumps never noticed.

"We did not touch the process; we gave it a silent twin that never sleeps."

What ties these disparate rhythms together is a single policy language encoded in the Alliance’s industrial policy-as-code repository. Every plant receives a YAML file that declares maximum cycle time, permissible command sets, change-rate limits and fallback states. The file is signed by the plant manager, the works council and the county’s data-protection officer, then compiled into eBPF bytecode that is injected into the grey box. If an operator later tries to override a safety threshold from the control room, the policy engine blocks the command and logs a tamper event that is immutable for eleven years under German critical-infrastructure law. The beauty of the approach is that it exports the burden of compliance from the PLC to the security layer; the plant itself continues to run the same ladder logic its engineers wrote a decade ago, but the envelope around that logic is now version-controlled, peer-reviewed and cryptographically signed. In effect, we turned every brown-field facility into a cyber-physical API: the mechanical process remains proprietary, the security contract becomes portable.

The economic footprint is modest but measurable. For the lime kiln, the cost of the optical tap and three years of managed monitoring equals the value of one unplanned re-bricking—roughly 80 000 €—so the investment pays for itself the first time the kiln avoids a cooling cycle. For the chlorine hall, the pressurised cabinet and fibre run added 27 000 € to a 1.2 million € retrofit, a margin smaller than the insurance premium reduction the plant received after demonstrating continuous attestation of sensor integrity. For the district heating utility, the proxy avoided 38 hours of gas-peaker runtime in its first winter, saving 52 000 € and 94 tonnes of CO₂, numbers that will only improve as more pumps join the mesh. None of these figures include the intangible benefit of sleeping better at night, but the plant managers we spoke to were surprisingly candid: knowing that a parallel brain is watching the same data they see, yet detached from the profit pressure that sometimes encourages risky shortcuts, restores a sense of guardianship that no insurance policy can buy.

Scaling the model across the rest of the county is now a question of cabling and confidence rather than capital. The grey boxes are built from off-the-shelf ARM boards and cost less than a mid-range smartphone in volume; the firmware is Apache-licensed and posted on the Alliance’s Git server. What takes time is the social protocol: sitting in the break room at 5 a.m., drinking the same vending-machine coffee as the shift foreman, explaining that the tiny blinkenlight on the new device is not a spy camera but a heartbeat that proves the plant is still the master of its own destiny. Once that conversation is won, the technology installs itself. Our target for 2027 is to cover ninety percent of the county’s critical flow—water, energy, chemicals—and to publish a living document that tells the next rural region how to replicate the entire cycle, from first cup of coffee to first cyber-attack blocked before the pump even notices someone knocked on the door.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.