Welcome to the latest edition of our CEO Talks. In this issue, we focus on cybersecurity—a topic that has evolved from a back-office IT concern to a core business imperative. As digitalization and AI continue to reshape industries, cybersecurity is no longer optional. It is essential for safeguarding operations, ensuring compliance, and maintaining trust in an increasingly interconnected world. To explore this topic, TTTECH CEO and co-founder Georg Kopetz (hereafter “Georg K.”) sat down with Georg Stöger (hereafter “Georg S.”), Senior Principal Technology Specialist at TTTECH Labs and employee number one at TTTECH. With over 20 years of experience, Georg Stöger brings deep expertise in dependable real-time systems, embedded platforms, and time-sensitive networking.
Cybersecurity: From optional to essential
Could you start by explaining what makes cybersecurity a strategic priority for TTTECH today?
Georg K.: Cybersecurity is no longer optional—it’s business-critical. Every connected device—from industrial controllers to autonomous systems—is a potential target. It’s not just about protecting data. It’s about safeguarding the operations of digital autonomous systems, ensuring compliance and maintaining trust in a highly regulated and interconnected world.
Georg S.: It’s a big topic that affects our daily work—from conducting cybersecurity trainings to adapting our development and verification processes. The attack surface has grown dramatically with increased connectivity, and attackers are becoming more sophisticated, using AI and darknet tools. Cyber threats today are like a COVID infection—it’s not a question of if, but when. Preparation and mitigation are key.
Navigating complexity across industries
How does TTTECH address cybersecurity across diverse industries? Is there a unified approach, or does each sector follow its own cybersecurity regulations? And do you think it’s realistic - or even desirable - to agree on a single standard across all these industries?
Georg K.: We operate in aerospace, energy, industrial automation, and off-highway vehicles—and each of these sectors has its own regulatory landscape. While the specifics vary, the underlying principles of cybersecurity are converging. Our goal is to create scalable, secure solutions that meet the highest standards across all relevant TTTECH sectors.
Georg S.: Absolutely. While each industry has its own regulatory landscape, we’re clearly seeing a convergence—especially in how cybersecurity is approached from a governance and process perspective.
At TTTECH, we supply products to sectors like agriculture, autonomous and off-highway machinery, industrial automation, and aerospace. Each of these has slightly different safety and security standards. However, the overarching governance requirements that apply to any organization developing products and services for these industries are increasingly aligning.
Even though the technologies used to implement cybersecurity may differ, the processes we follow as a supplier, developer, and integrator are becoming more similar. This is also reflected in the regulatory frameworks that guide our work.
You can no longer simply build a product, test it, and declare it secure—that’s no longer sufficient. Security must be embedded throughout the entire development lifecycle: from requirements gathering and system-level threat analysis to implementation and validation.
We hope that, over time, the complex and resource-intensive processes required to develop and verify secure systems will converge even further. TTTECH has always been a pioneer in building safe and dependable systems. Security is often seen as the other side of the same coin—safety on one side, security on the other. While it has always been important, today’s heightened awareness is driven by increasing cyberattacks and growing regulatory pressure. Customers are more engaged than ever—and rightly so.
Georg K.: What do you think, how have customer expectations evolved? What do you see as the most pressing concerns when you speak with customers today? What’s top of mind for them when cybersecurity comes up?
Georg S.: As of mid-2025, concerns around safety, robustness, and reliability are generally well understood and routinely addressed in discussions about system architectures and product development. While cybersecurity as of today is somewhat more obscure and not always addressed in the same systematic way. Its relevance is widely acknowledged, how it integrates into the full supply chain and monitoring processes—and how it becomes a core element of system integrity and safety—is not yet as firmly established.
That’s why we’re currently working closely with customers to build this understanding: today, safety and security can no longer be treated as separate domains. You simply cannot achieve industrial safety without addressing cybersecurity. A single external attack can instantly compromise all safety mechanisms. Traditional safety systems are designed to tolerate hardware failures or software bugs—but not malicious interference. In that sense, safety without security is no longer viable.
This is an ongoing conversation. The most urgent need right now is to demonstrate to customers that security must be embedded from the very beginning of system development—not added after the fact. Just as safety has been an integral part of engineering for the past two decades, security must now follow the same path. This includes the supply chain and technical collaboration models, which are still relatively new in this context.
Cybersecurity at the edge
What are the key challenges in adopting cybersecurity across industrial systems? How is TTTECH integrating cybersecurity into its offerings, and how do advances in architecture—particularly at the edge - help protect customer data and IP? Where do we stand today in delivering secure and dependable platforms?
Georg K.: We’ve been a pioneer in edge computing and recognized early on how important cybersecurity is in the industrial domain—especially at the edge. Many of our customers operate in environments where legacy systems are still in use. These systems were not designed with cybersecurity in mind, but they are still critical to operations. That’s why we focus on enabling secure architectures that allow for local data processing and protection. Edge computing gives our customers the flexibility to decide what stays protected on-site and what can be shared with the cloud. This architectural flexibility is essential in balancing operational continuity with modern security expectations.
Georg S.: Yes, it's quite interesting that if you buy a new hardware platform today—new CPUs, for example—they already include built-in security modules. But of course, there's a lot of legacy out there. When we talk about edge computing, we’re often dealing with legacy devices that were never designed with cybersecurity in mind. They don’t support software updates. They don’t receive security patches. They may use unencrypted data links and lack user management entirely.
The question is: can we securely connect such legacy devices to an IoT system that includes newer, cybersecurity-compliant components? The answer is yes—if we use proper encapsulation and define secure zones in the system architecture. You can integrate insecure components into a secure platform, as long as you don’t expose them directly to the internet. Instead, you shield them behind a platform that includes user management, safety, security, logging, and audit capabilities.
With the products that we develop for different industries, it is possible to integrate these legacy, unsecure components and applications into a secure platform. Then the question becomes: how much does the customer need to expose these components/applications—or their data—to the outside world to gain the most benefit?
This is where edge computing versus cloud computing comes into play. Customers need to decide which data is security- or GDPR-relevant and must remain at the edge. That data should be processed locally, and only the results or trained models should be sent to the cloud.
So, this scalability—the ability to decide where to process data, where it needs to go, and where it must stay hidden and protected—must be part of the solution. And that’s exactly what we currently do in several industries: we offer customers the capability to decide for themselves, based on our platform, where and how their data is handled—and where to transfer it or open up remote connections. Because of course, to benefit from IoT capabilities, some systems must be connected.
Subscribe to our newsletterand receive CEO updates directly to your inbox
Architectural resilience and future technologies
TTTECH pioneered time-triggered networking—a breakthrough that redefined how machines communicate in real time, without fail. In the context of increasingly complex and connected systems, the question arises: Can a time-triggered architecture contribute meaningfully to cybersecurity—and if so, how?
Georg K.: When it comes to time-triggered architecture, we coined the term “scheduled traffic.” The edge controller or gateway could be a hard-coded device where traffic is scheduled in advance—for example, within the switch. This predefined communication pattern means that an attacker would need to know the schedule to launch an attack, which provides a kind of offline protection. That leads to a broader consideration: can we use this deterministic behavior to enhance system-level security?
Georg S.: Yes, we can, but the question of security must always begin with the question of configuration. If the configuration itself isn’t protected—if the switch reconfiguration isn’t secure—then you’re vulnerable. A hacker could override the configuration and disrupt the schedule.
If you have properly secured schedules in place, then this gives you more robustness. So, the hacker could have a hard time launching a denial-of-service attack on a system where resources like network traffic and task scheduling are protected by a time-triggered schedule. So yes, in terms of robustness, a time-triggered architecture can help.
Georg K.: That raises another question: do we encrypt the schedule itself or apply an encryption protocol to it?
Georg S.: I don’t think that either adds much benefit. What’s critical is that the interfaces used to configure the devices are well protected. You can’t have a switch where someone can simply log in via command line and change parameters. It must have a file transfer with appropriate encryption and authentication. You can’t rely on typical switch interfaces like Telnet or SSH that grant root access immediately. That used to be very convenient for system administrators, but the configuration of network devices is one of the most critical parts of system security.
Georg K.: Looking ahead, quantum encryption is another topic gaining traction. How do you see this technology playing a role—particularly in switching and satellite communication?
Georg S.: In satellite communication, absolutely—it’s already relevant. Inside a factory? That’s harder to predict. It will depend on the availability of very small and cost-effective chips. Right now, quantum encryption is still expensive and not widely deployable in industrial environments.
Georg K.: I agree. But never say never. Technology is evolving so quickly. What we think will take 20 years might be here in five. Just look at AI and large language models—those developments accelerated faster than anyone expected. And in parallel, the European Union has set very ambitious targets in terms of cybersecurity. It’s now a top priority at the EU level.
Regulation as a catalyst
How do you assess the latest developments in the EU’s cybersecurity regulations? What impact do these frameworks have on TTTECH’s product development—and how do they influence our competitive position globally?
Georg K.: The European Union has set very ambitious targets in terms of cybersecurity. It’s now a top priority at the EU. Regulations like the Cyber Resilience Act and NIS2 are raising the bar for everyone—suppliers, integrators, and OEMs alike. These frameworks are not just about compliance; they are about building trust and resilience into the digital value chain. At TTTECH, we see this as an opportunity to differentiate ourselves through the maturity of our processes and the robustness of our platforms.
Georg S.: Absolutely. These regulations are long overdue. We’ve seen a sharp increase in cyberattacks in recent years. According to the latest Austrian cybersecurity report, the average damage from a successful attack is between five and six million euros. That’s not just a threat to individual companies—it’s a systemic risk. The EU is responding with strict requirements that now cover more industries and more companies. At TTTECH, we are directly affected because we supply components or entire solutions to companies operating in essential sector. The new rules require governance, product monitoring in the field, immediate alerts if vulnerabilities are exploited, and ongoing security updates throughout the product lifecycle—even five years after a product is released. Fortunately, we’re well prepared. We’ve had rigorous development processes in place for a long time. But companies that haven’t embedded security into their development workflows—those that only did penetration testing and don’t maintain a software bill of materials—are now facing serious challenges.
And time is running out. Full enforcement begins in just two and a half years, and vulnerability monitoring starts as early as 2026. This doesn’t just affect European companies—it applies to any company that wants to sell digital products in the EU. On the one hand, the EU has created a strong and comprehensive framework. On the other hand, it’s going to be tough for those who are not yet prepared.
Georg K.:
That’s true. We’re already seeing a clear increase in activity. Some companies are even entering panic mode as they realize how much needs to be done. In many cases, they’ll need to rethink their product and system architectures, because some issues can’t simply be patched—they require a fundamental redesign. We’ve seen this before with safety regulations: Europe set the standards, and the rest of the world followed. Cybersecurity is no different. It’s not just a European issue—it’s a global one. And we’re also closely watching developments in the U.S. and Asia. So how does Europe compare to other major industrial markets? Do these regulations help a European company like TTTECH stay competitive—or do they slow us down because we have to do more than our competitors?
Georg S.:
That’s the big question: who’s winning—the hackers or the companies trying to protect themselves? The truth is, these regulations do slow us down to some extent. But then again, would I rather be slowed down, or be hacked? In the U.S., the approach is more segmented—each sector, like finance or healthcare, defines its own cybersecurity measures. That might work for individual industries, but there’s no overarching framework. And if there’s a weakness in your supply chain, you immediately have a cybersecurity problem. In that respect, I think Europe’s approach is very good—comprehensive, but also demanding, at least initially, but it is solid and effective.
Georg K.:
And that’s where I see a long-term advantage. Europe’s regulation-first approach may be demanding, but it creates a level playing field and builds trust. If you’ve cleared the bar, it becomes a competitive advantage. In contrast, in the U.S., the market often decides what’s acceptable, and only later do the courts or regulators weigh in on what would have been “good enough.” And when it comes to Asian competitors, there are often concerns about potential backdoors in IT products from certain vendors. Is this something you also see reflected in customer concerns?
Georg S.:
Yes, this is a major concern. We’ve all seen the headlines—even if there’s no proven backdoor, the inability to prove that there isn’t one will soon be enough to exclude a product from the European market. Right now, in 2025, some companies may still take the risk and say, “It probably won’t happen to me.” But that won’t be possible in two years. It’s better to build up your supply chain now and work with partners who can demonstrate full security compliance than to gamble. The risk-based approach won’t be viable in Europe two years from now. So, while today we might say, “That sounds risky, but we’re not sure,” that kind of decision-making won’t be allowed anymore. Cyber-attackers of our assets and infrastructure are relentless and highly professional, and we must plan and act accordingly.
Conclusion: Turning challenge into opportunity
Georg K.: What I’m taking away from this edition of CEO Talks is that the EU is clearly setting the pace with regulations like the Cyber Resilience Act and NIS2. These are not just frameworks for IT—they apply to every product and every digital element across the entire value chain. That means every machine builder, every equipment manufacturer selling into the EU is affected. This includes all types of systems—from energy infrastructure to small industrial controllers. And the message is clear: cybersecurity must be built into the product. It must be supported by strong processes, as you mentioned, but also by robust product features—from chip to cloud. And for many companies, this is a major challenge. For us, it's an opportunity because we can help our customers to accelerate this transformation, this transition. There's a lack of experts and the regulatory framework is evolving fast and the cost of non-compliance or a security breach is extremely high. That’s why I believe we have a great opportunity here.
Thank you, Georg and Georg, for this focused and forward-thinking discussion. Your insights show how secure system design must begin with strong architectural principles— and how TTTECH is supporting compliance with cybersecurity regulations and secure, dependable networks across industries.
