🔊CRA regulation – Mazak asks if your company is cyber secure?

Nineteen machine tools in live operation, the UK debut of the first Integrex manufactured outside Japan, and the launch of Mazak’s Solutions Centre were just a few of the headline acts at the Mazak UK November Open House event. Mazak is always looking to the future, and at this event, the company presented its response to the European Union’s Cyber Resilience Act (CRA).

Whilst the three-day event showcased impressive technological advances like the next-generation CV5-700 5-axis machining centre and live laser cutting demonstrations, it was Greg Cocks presentation on cyber security compliance that piqued the interest of MTD magazine. As General Manager, European Sales & Engineering at Mazak Europe, Greg’s message was clear: “Mazak isn’t waiting for the 2027 deadline. From January 2026, all machines ordered will be shipped with ATM bank-grade security hardware as standard. We’re not waiting for regulation to force our hand. We’re making this standard now because it’s the right thing to do for our customers.”

So, What is The Cyber Resilience Act?
The CRA, introduced in December 2024 with a 36-month grace period, represents the most significant regulatory intervention in operational technology security. Derived from the global standard IEC 62443-4-2, it mandates ‘secure-by-design’ machines, regular software updates, software bill of materials, and security threat alerts throughout a product’s lifecycle. Sit up and strap in, subbies – this is coming down the pipeline quickly!
“From 2027, we won’t be able to CE mark machines unless they have the required security measures,” Greg explained. “Without CE marking, machines cannot legally be sold in Europe. This isn’t optional – it’s a market access requirement.”
The urgency behind the legislation is well-founded, with an 84% increase in attacks targeting operational technology devices in 2024 alone. Jaguar Land Rover’s £196m shutdown, which eventually cost the UK manufacturing sector over £1.8bn, demonstrates UK manufacturing’s vulnerability to cyber threats. The CRA aims to address an unprecedented threat landscape before it causes further economic damage.

Bank-Grade Security: The Cisco Partnership
Central to Mazak’s CRA compliance strategy is a partnership with Cisco, providing industrial-grade security hardware as standard equipment. The company has selected the Cisco router, the same device protecting ATMs worldwide, to create a secure connectivity infrastructure for every machine.
“We partnered with Cisco because of their credibility in security” Greg emphasised during his presentation. “This device is exactly the same one that goes into the back of a cash machine. We’re using proven, bank-grade security technology.”
The security architecture employs three protective layers working in concert. The device functions as a firewall, implements network address translation (NAT), and maintains an access control list (ACL). This three-tier approach ensures that only expected information passes through, machine addresses remain hidden from potential hackers, and the machine only communicates with known, authorised network computers.
“It’s actually safer to have a machine connected with secure connectivity than isolated,” Greg revealed, challenging conventional thinking about air-gapping operational technology. “Secure connection enables patches, updates and vulnerability checks. The old approach of air-gapping machines is actually less secure in today’s threat environment.”

Mazak iCONNECT: Infrastructure Already in Place
The Cisco hardware integrates seamlessly with Mazak’s iConnect system, which has been refined over three years to provide both security and operational benefits. This forward-thinking approach means the infrastructure was already in place before the CRA made it mandatory – demonstrating Mazak’s commitment to staying ahead of regulatory requirements.
“About 40% of our customers now use the free Mazak iCONNECT Information Portal,” Cocks reported. “It provides manuals, FAQs, and secure software updates – exactly what the CRA requires to keep machines updated throughout their lifecycle.”
The premium M2M (Machine-to-Mazak) subscription service extends these capabilities significantly. Customers can monitor machine activity from anywhere via a web browser, and critically, the system backs up CNC controllers daily. Following a security incident, users can restore information and be operational quickly – a crucial benefit that transforms potential disasters into manageable incidents.
For existing customers, retrofit solutions are available. Machines manufactured in the last two years have pre-wired space for security boxes, whilst older machines can be fitted with external units, ensuring the entire installed base can be protected.

The Escalating Threat Landscape
The shift from IT to OT targeting represents a fundamental change in the threat landscape. “Banks and insurance companies have strong security measures – they’re no longer ‘low hanging fruit’,” Greg explained. “But many organisations have unprotected operational technology. Once hackers are in, they can escalate privileges to access other systems.”
Perhaps most concerning is the evolution of attack methods. “These activities used to be done by hackers individually, making attacks,” Cocks noted. “Now they’ve got AI mechanisms doing the hacking. Automated systems generate attack lists and find vulnerabilities at scale.”
USB Vulnerabilities and Software Transparency
The company’s CRA compliance strategy includes mitigating risks associated with external device connectivity. Portable storage devices, such as USB sticks, are recognised as a significant security vulnerability. To enhance protection, future equipment will be designed with USB functionality disabled by mid-2026.
The vulnerability is more sophisticated than many manufacturers realise. Hackers can create USB devices that mimic keyboards, bypassing standard IT security measures because keyboards require USB connections. Mazak’s solution maintains functionality through the Project Manager software that connects securely through the network to transfer files.
This transparency creates an industry-wide early warning system. When vulnerabilities emerge in specific components, all manufacturers using those components receive immediate notification, enabling rapid patch deployment. “This is proactive security,” Cocks emphasised.

Practical Guidance for Manufacturers
Beyond outlining Mazak’s compliance strategy, Greg provided practical advice for all manufacturers. “All customers with OT devices should do quarterly checks. Go to a machine, open the web browser, and try to ping 8.8.8.8. If you can get to Google, you’ve got a problem.”
For baseline security, minimum measures should include isolating machine tool networks from computer networks with firewalls and access control lists, and ensuring machines cannot access the internet. Physical security also matters. Machines should be in secure environments with locked doors and controlled access.
The business case extends beyond regulatory compliance. “Smaller businesses don’t want ransomware attacks requiring tens of thousands of pounds to unlock systems. Prevention costs a fraction of a cure.”

Competitive Advantage Through Leadership
Mazak’s proactive stance is already reaping rewards. “We regularly get questions from OEM and Tier 1 customers about the compliance of our machines. The aerospace industry, from OEM through Tier 2, already understands these regulations, and they’re asking questions now – not in 2027.”
Early adoption also positions Mazak to influence industry interpretation of the regulations. “We can contribute meaningfully to MTA discussions because we have practical implementation experience. We’re not just planning compliance – we’re demonstrating it.”
Jason Butler, Sales Director at Yamazaki Mazak UK, reinforced this message: “This event showcased not just UK-made machine tools, but a comprehensive range of connected technologies and support services. Whether you’re a long-term Mazak customer or a potential new user, we’re demonstrating how Mazak can help you take the next step towards better productivity and future-ready operations – including cyber security that meets tomorrow’s requirements today.”
The Solutions Centre, making its UK debut following an EMO 2025 premiere, provides customers with hands-on access to digital and service-driven technologies that complement the cybersecurity infrastructure. This holistic approach combines advanced machining capability with robust digital security and comprehensive support services.
As Cocks concluded his presentation: “Everyone’s got to do something, everyone’s got to take note. UK SMEs now take IT security seriously. Our role is to ensure that same protection level extends to operational technology. Mazak isn’t just complying with the CRA – we’re setting the standard for how the machine tool industry should respond.”