Welcome to CypSec Group
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
Keeping OT traffic local and safe.
Mansfeld-Südharz, Germany - November 16, 2025
The first thing you notice inside the coatings hall of a 120-year-old paint plant south of Wolfen is the silence. The extrusion line still thumps every four seconds, but the data cabinets—once filled with relay logic—now exhale only the whisper of six-passive-cooling edge nodes built from fan-less NUCs painted the exact shade of Brunswick green so the works council does not ask questions. Those nodes are the factory’s new demilitarised zone: every Modbus packet that leaves the Allen-Bradley rack touches an ARM board running a hardened proxy before it even thinks about the motorway fibre. Latency budget: 280 microseconds round-trip, low enough that the process engineer cannot see the jitter on his five-millisecond pressure loop, yet high enough to strip, re-assemble, sign and timestamp each frame so that any future forensics team knows not only what changed the set-point but which firmware build did the changing.
The architecture was born of a simple constraint: no one touches the PLCs. The plant’s downtime window is the Sunday church bell in the neighbouring village—forty-five minutes once a week—and even that slot is shared with mechanical greasing. Rip-and-replace security was therefore politically dead; instead we had to slip a translucent layer between existing switches and the upstream fibre so that brownfield became bump-in-the-wire. The physical form factor matters more than CPU cycles: each node is DIN-rail mounted, 24 V powered, and certified to 60 °C ambient so it survives inside the same cubicle that houses the variable-frequency drives. We learned the hard way that a shiny 1U server in an air-conditioned office is useless when the maintenance foreman parks his forklift against the door; resilience here means surviving both dust and diplomacy.
Traffic flow follows a concentric trust model borrowed from electrical ring mains. The inner ring is Time-Sensitive Networking—precise enough for motion control—while the outer ring carries IT telemetry, camera streams and guest Wi-Fi. The edge node terminates both rings but never forwards between them; instead it re-originates each session through a local policy engine that speaks IEC-62443 dialects on the OT side and zero-trust JSON on the IT side. A motion-control command therefore emerges on the outer ring only after it has been hashed, stamped and queued in a local ledger that is itself replicated to two other nodes inside the same hall. If the ledger does not reach quorum within 50 ms the packet is dropped and the PLC sees a simple timeout—indistinguishable from a loose cable, so the process falls back to manual mode without panic. It is safety by obscurity in reverse: the operator thinks nothing happened, while the security team receives a tamper event rich enough to reconstruct the exact byte sequence that never made it through.
Cryptographic posture is deliberately asymmetric. We use post-quantum signatures for firmware updates—an overhead we can afford because updates arrive quarterly—but stick to fast 256-bit ECDSA for real-time traffic, reasoning that a thirty-second window of elliptic-curve vulnerability is still shorter than the mechanical inertia of a 300-bar reactor. Keys are generated inside each node’s TPM at first boot and never leave the silicon; if a unit is stolen the recovery strategy is physical destruction rather than remote revocation, because replacing a 400-euro board is cheaper than rekeying a county-wide mesh. The corresponding public keys are published in a local certificate transparency log that mirrors to the county courthouse once an hour, turning what could have been opaque key management into a public record that even the most sceptical works council accepts.
"Sovereignty is not who owns the data centre; it is who holds the diesel keys when the extruder is still running and the world outside has gone dark."
Backhaul sovereignty is the final hinge. Every site is dual-homed: a 10 Gbps dark-fibre path heads north to the CRA core in Bitterfeld, while a 1 Gbps commercial link faces the public internet. Under normal conditions OT traffic takes the dark fibre and IT traffic takes the commodity line, but if either path disappears the edge node spins up an encrypted L2TPv3 tunnel inside the surviving pipe and continues without sequence-number reset. The tunnel terminates in a sovereign cloud zone that runs on OpenShift in the former chemical cooling tower—literally inside a decommissioned chlorine cell whose walls are three metres thick and whose power feeds are redundant down to the diesel scent. Fallback latency is still under 2 ms because the geographical distance is less than eight kilometres, a figure that makes CIOs in Frankfurt stare at their spreadsheets and quietly recalculate colocation costs. sovereignty here is not an abstract flag; it is a question of who holds the diesel keys when the grid fails, and the answer is the same volunteer fire brigade that has guarded the plant since 1895.
We rolled the first node out in April, during the plant’s annual maintenance window so short that even the caterer had a Gantt chart. Installation took 38 minutes: power, fibre, earth strap, snap the rail, boot, ping, done. The maintenance manager signed the acceptance form with the same pencil he uses for valve calibration logs, and we walked away before the extruder restarted. Three weeks later a commodity ransomware strain hit the corporate VLAN; the edge node silently dropped the malicious probe packets, logged the pattern, and pushed a STIX bundle to the county SOC. The factory manager never knew the attack happened until the weekly report landed in his inbox, and by then the IOCs were already circulating in Brno and Bari. That is the moment we understood the metaphor had become literal: the county that once taught Europe how to make synthetic rubber is now teaching it how to make synthetic trust, one factory at a time.
The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.
Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
