iC7-Series Remote Monitoring Cybersecurity
“
Product Information
Specifications:
- Layer 1: Drives – iC7-Series, iC2-Series
- Layer 2: IoT Gateway – Hardware and software combination to
collect drive data for IoT platform - Layer 3: IoT Platform – Cloud/On-premise deployment, gateway
software, firmware, Linux OS, Linux Kernel
Product Usage Instructions:
1. IoT Gateway:
The IoT Gateway combines hardware and software elements to
collect drive data and make it available for the IoT platform.
2. IoT Platform:
The IoT Platform operates at Layer 3 and includes
cloud/on-premise deployment options, gateway software, firmware,
Linux OS, and Linux Kernel.
3. Drives:
The Drives function at Layer 1 and include iC7-Series and
iC2-Series for drive operations.
FAQ:
Q: What are the cybersecurity regulations mentioned in the
manual?
A: The manual refers to the NIS2 Directive in Europe effective
from October 10, 2025, and the EU Cyber Resilience Act Article 11
from Q4 2025 onwards. These regulations require robust information
security management systems and compliance with essential security
standards.
Q: How does the IoT Gateway ensure security?
A: The IoT Gateway includes a secured boot process with a
built-in NXP processor mechanism for handling firmware-controlled
root-of-trust. It also ensures vendor-managed third-party
components are not present in the devices, complying with security
standards like RED EN 18031-1 Article 3.3 (d) and IEC 62443.
“`
Application Paper | DrivePro® Services BE523146459201en-000101
DrivePro® Remote Monitoring Cybersecurity
2 Danfoss Drives · BE523146459201en-000101
Page 04-05
Table of contents
04 Page 120-257
11
Introduction
Cybersecurity in DrivePro® Remote Monitoring
05 Drives 06 IoT gateway 10 IoT Platform
References
Danfoss Drives · BE523146459201en-000101 3
Introduction
The global cybersecurity landscape is undergoing a significant transformation, with the introduction of the most stringent cybersecurity legislation ever, for both entities and products. These cybersecurity regulations are concurrently enforced via mandatory requirements related to market access of products and purchasing of operational systems for entities globally.
In Europe, the NIS2 Directive is effective from October 10, 2025. NIS2 requires essential and important entities, all manufacturers and their supply chains, to implement robust information security management systems and secure development procedures for operational systems.
To continue legal sale in the EU, all other software and hardware products must comply with the Cyber Resilience Act Article 11 from Q4 2025 forwards . Products subject to the requirement include Machinery Directivecompliant products, and their vulnerability management processes (at a minimum). The EU Cyber Resilience Act applies from mid-2027 onwards including essential requirements like regular security testing and update management, among others.
Many of today’s wireless IoT products must be fully redesigned and made secure-by-design-and default. They must comply with Radio Equipment Directive essential requirements 3 (3def and Article 6), to continue legal sales in the EU from Q4 2025 onwards.
This paper describes cybersecurity considerations outlined in EU and global cybersecurity regulations and standards applicable to the DrivePro® Remote Monitoring solution. It provides readers with insights into the dedicated cybersecurity components which are integrated into the DrivePro® Remote Monitoring solution. These components ensure compliance with the regulations and standards, ultimately building a resilient system.
Layer 3: IoT PLATFORM Layer 2: IoT Gateway
Cloud
On-premise
Gateway software Application/Software
Firmware
Linux Operating System
Linux Kernel
Hardware
Layer 1: Drives
VLT® P400
VLT® P600
VACON® 100
VACON® NX
iC7-Series iC2-Series
Figure 1: Layers of the DrivePro® Remote Monitoring solution
This paper shares information regarding cybersecurity features of Danfoss DrivePro® Remote Monitoring solution. It also describes security guidelines for the components present in the Danfoss DrivePro® Remote Monitoring solution. There are three layers in the Danfoss DrivePro® Remote Monitoring solution architecture as shown in Figure 1. They are:
Layer 1: Drives
This layer includes the entire portfolio of drives that DrivePro® Remote Monitoring supports, such as VACON® NX, VACON® 100, many VLT® drives, and new-generation drives like iC2 series and iC7 series.
Layer 2: IoT Gateway
The IoT Gateway combines different elements of hardware and software to provide a mechanism to collect drive data and make it available for the IoT platform. In this paper, we dive into the detail of these hardware and software stacks and uncover the security mechanism behind them.
Layer 3: IoT Platform
The IoT platform is a Cumulocity GmbH1-based Danfoss solution. DrivePro® Remote Monitoring provides both fully-cloud and on-premises capabilities of the IoT platform. This paper shares information on the cybersecurity standards and best practices used and recommended by Cumulocity GmbH IoT Platform as a component of the DrivePro® Remote Monitoring solution.
4 Danfoss Drives · BE523146459201en-000101
Cybersecurity in DrivePro® Remote Monitoring
2. 1 Drives
2.1.1 VACON® NX and VACON® 100 drives
2.1.2 VLT® drives
VACON® drives, including VACON® NX series and VACON® 100 drives are working towards IEC 62443-4-2 SL1 certification. As product supplier, Danfoss shares information on VACON® NX & 100 drives based on:
IEC 62443-4-1: Development and production of the components
IEC 62443-4-2: Description of the product, giving information on threats and mitigations, and how this product is compliant to achieve a certain security level.
In VACON® NX product lifecycle, defense-in-depth strategy is developed around the idea that this product, that was developed long ago without consideration of cybersecurity, is now equipped with understanding, process, actions, and roles and responsibilities related to cybersecurity. The following practices are already implemented and under continuous development:
Security-related documentation. For example, roles and responsibilities, cybersecurity strategy, compliance with security requirements
Secure implementation of new features and updates, including consideration of security guidelines and security best practices
Security hardening and testing
For system certification according to IEC 6244311 and other cybersecurity standards, Danfoss can assist with mitigation solutions at system level, where interaction between VLT® drives and other system components like PLC define the total system. Cybersecurity requirements and directives, NIS2 and CRA come into force 20242026. Therefore, VLT® drives will meet these requirements by end-2024.
These VLT® drives are used in Operational technology: VLT® HVAC Drive FC 102, VLT® Refrigeration Drive FC 103, VLT® AQUA Drive FC 202, and VLT® AutomationDrive FC302.
Therefore, Danfoss has chosen to use requirements in IEC 62443 to implement and certify products in scope for cybersecurity:
IEC 62443-3-3: Technical requirements for control system (where VLT is a subcomponent). SL-1 is applicable to the PC tool, VLT® Motion Control Tool MCT 10.
IEC 62443-4-1: Secure product development lifecycle process (process for development and manufacturing).
IEC 62443-4-2: Technical requirements for component (VLT® drive)
Software for VACON® NX drives such as VACON® NC drive, VACON® NCLoad, VACON® NCIPConfig, VACON® Loader, VACON® Safe, and VACON® Service Tool is compliant with IEC 62443-3-3 SL-1. A detailed description of implementing UR E26, URE27, and IEC 62443-3-3 is provided in the white paper.
Danfoss Drives · BE523146459201en-000101 5
Cybersecurity in DrivePro® Remote Monitoring
2. 2 IOT gateway
2.2.1 Hardware
When selecting a hardware vendor in the European Union, it’s crucial to consider various security mechanisms to ensure compliance with regulations and protect against cyber threats. The EU Cyber Resilience Act (CRA) has introduced new cybersecurity requirements for hardware and software products with digital elements (PDEs), making it essential for organizations to be careful in evaluating potential vendors. Danfoss has the role of the “distributor” as per CRA guidelines for DrivePro® Remote Monitoring solution. The solution uses trusted gateway hardware vendors who meet Danfoss security requirements at par with EN 18031-1 Article 3.3(d), IEC 62443-4-1, IEC 62443-4-2, and CRA guidelines. The following hardware requirements are fulfilled in the DrivePro® Remote Monitoring solution:
secured boot process A built-in NXP processor mechanism handles
firmware-controlled root-of-trust. TPM2.0 is available. No parts in the devices can be categorized as vendor-managed third-party components
The preceding points ensure that security-by-design is implemented in the solution as per RED EN 18031-1 Article 3.3 (d) and complements IEC 62443.
2.2.2 Software
The Danfoss DrivePro® Remote Monitoring solution uses secure and standard software development practices to ensure that the gateway software meets the requirements of IEC 62443 and CRA guidelines. The following are the best practices used in the solution:
All gateway devices are:
Secure LINUX as OS
1. x86-64 architecture 7th Generation Intel® CoreTM i5-7300U Processor, Single Socket FCBGA 1356, or
2. ARM Cortex-A53 Industrial gateway device
All gateway devices support standard protocols for data handling and transfer such as WEB UI, FOTA, CLI, SSH, SMS, Call, TR-069, MQTT, SNMP, JSON-RPC, MODBUS, RMS
Supports RS-485, RS-232, Ethernet and RJ45 The built-in security mechanism of the devices has
DDOS prevention (SYN flood protection, SSH attack prevention, and HTTP/HTTPS attack prevention) Physical attack protection and tamper-proofing are achieved in the devices with port scan prevention (SYN-FIN, SYN-RST, X-mas, NULL flags, FIN scan attacks) The devices are CE-marked with RED (2014/53/ EU) and other EU directives such as LVD (2014/35/ EU), EMDC (2014/30/EU), and EU ROHS2 Directive (2011/65/EU) A built-in NXP processor mechanism handles the
DrivePro® Remote Monitoring solution uses base OS for firmware development such as Debian 12, released in June 2023. Debian 12 contains advanced security features such as AppArmor for application confinement, Secure Boot support, hardened compiler flags, Stack protector, and other memory protection mechanisms. The LTS version of Debian 12 will receive security updates for more than 5 years, ensuring long-term security coverage. Further derisking mechanisms use the gateway vendor’s original OS for which patch management is regularly performed by the vendor.
Firmware update
Firmware update of the DrivePro® Remote Monitoring solution is comprehensive and fast. The gateway device regularly verifies the integrity and authenticity of the downloaded firmware. An A/B update schema is used, which ensures that if the update on the inactive partition fails to validate correctly, the device can roll back to a known, functioning state.
6 Danfoss Drives · BE523146459201en-000101
Security hardening
It is important to:
Security hardening practices are implemented in the DrivePro® Remote Monitoring solution using a secure development process,. This process includes:
Secured configuration management a. Detailed documentation is provided on secure configuration and integration of the gateway b. Guidelines are provided on interfaces with other subsystems such as drives or SaaS platform, product configurations, and use of security-related tools such as firewalls, PKI, Wireshark, or tcpdump, when necessary.
Removal of unnecessary components
Develop guidelines for password renewal. Do not keep the same password for a longer period. This requirement excludes persons earlier having or not supposed to be having access anymore.
Develop guidelines on handling access data. Make sure that the guidelines are implemented consistently in the deploy engineering tools.
Always keep the access data secret. It is the installation owner’s responsibility to ensure that only an authorized group of people is given access to change critical data in the equipment. When updating passwords, consider the following guidelines:
Unnecessary services, applications, protocols, accounts, and other components are removed. Only trusted web servers are used in the solution. Wireless network services are avoided unless necessary. Physical media such as flash drives, file sharing, libraries, and functionality are avoided unless necessary. Remote access and control applications are not activated for the gateway device. Default guest and administrator accounts are disabled. Accounts which are non-responsive for more than 30 days are deactivated. OS updates and application software updates are done frequently. With toolbox like thin-edge, independent package management on a gateway device is not needed.
Access control
a. Do not assign passwords that can be easily guessed, for example, simple number combinations like 1111 or 1234
b. Assign, if possible, passwords with the required maximum length. Maximum-length passwords make it more complicated to gain unauthorized access.
Access protection can be compromised easily by using passwords that are not secure enough. Attackers can use compromised access data to log into systems and manipulate the behavior of the drive. Such manipulation may result in incorrect operation of the DrivePro® Remote Monitoring solution and damage to the installed equipment.
Danfoss Drives · BE523146459201en-000101 7
Cybersecurity in DrivePro® Remote Monitoring
2.2.3 Network and Communication
The DrivePro® Remote Monitoring solution offers Network and Communication security to ensure that the network is compliant to cybersecurity norms. This compliance minimizes the risk of attacks, keep the attack surface as limited as possible and only to have configured necessary functions. The systems only have the software required for the necessary tasks, only the necessary ports and connection points are open or accessible. Also, only the necessary services are activated during operation. The following best practices are implemented in the solution:
a. Network firewall rules and configuration
b. Create the connection so that the drive connects only to the gateway point-to-point or via switches
c. Encrypted protocols like TLS/SSL are used for sensitive data transmission, if necessary
d. Only the latest firmware is used in all gateway devices, servers, switches, or any other devices in the network
e. To prevent physical layer attacks, the network equipment is kept in restricted-access rooms, or in lockable cabinets
The principle of least privilege is followed as per IEC 62443
All gateway devices, servers, switches, or any other devices in the network implement secure NTP to ensure accurate time across all devices
Firewalls are deployed in the edge network
f. Certificates
X.509 certificates for trusted network are used in both the cloud and on-premise deployment of DrivePro® Remote Monitoring solution
Danfoss PKI is recommended for Device certificates
An inventory of all devices and assets on the network is maintained
The allowed ports for the solution are 443 (HTTPS), 8883 (MQTTS) and 22 (SSH). All other unused ports are disabled to prevent unauthorized access
8 Danfoss Drives · BE523146459201en-000101
Danfoss Drives · BE523146459201en-000101 9
Cybersecurity in DrivePro® Remote Monitoring
2.3 IOT platform
Secure Device Management
Danfoss has partnered with Cumulocity GmbH to equip the DrivePro® Remote Monitoring solution with strong cybersecurity practices and methods. In this way, we help our customers to enjoy all the features of a resilient and security hardened platform for handling their data. Cumulocity brings the following cybersecurity best practices to DrivePro® Remote Monitoring:
Tenant Isolation
Tenant Isolation includes Data & Resource Isolation. Security controls ensure tenants’ data is stored securely to prevent unauthorized access or data leakage.
Authentication and Authorization
Strong Authentication enables the platform users to access the services using multi-factor authentication. It also enables tenant administrators to configure secure authentication using Single Sign-on mechanisms such as OAuth2 and OpenID connect.
Device Onboarding: Secure onboarding processes for device provisioning and authentication Firmware Updates: Secure Firmware-over-the-air (FOTA) updates for devices.
Auditing
Comprehensive Logging Detailed logging of all access information and administrative actions. The logs are stored securely and can be used for auditing and forensic analysis.
Data Protection and Privacy
Data Minimization Only the necessary data needed for platform operation is collected, anonymizing or pseudonymizing data where possible.
Identity Management
Access Control Roles and permissions can be defined for different “User types” within each tenant using Role-Based Access Controls. RBAC enables tenant administrators to define their own roles with customized permissions. Explicit device permissions can be achieved through Inventory Roles such as principle of least privilege and granular access control.
Secure Communication
Data Encryption: Securing the data in motion by encrypting all communications between devices, the platform, and tenants
Mutual TLS (mTLS): Mutual TLS used for device authentication, ensuring both client and server authenticate each other
Cumulocity has its own local user data store. Cumulocity provides an SSO functionality that allows a user to login with a third party auth server configured in their tenant space.
Security Configuration
Cumulocity comes with a rich set of configurations that enables you to deploy the instance or configure the tenant in a secure fashion. Security hardening guidelines for Cumulocity provide some of the best practices that can be used for reference to deploy and configure Cumulocity cloud and edge in a secure fashion, as per information security standards.
10 Danfoss Drives · BE523146459201en-000101
Data-at-rest
The Customer data is encrypted in motion/flight and at rest. Data at rest is stored on encrypted disk volumes. Keys are managed by the hyperscaler KMS. The encryption algorithm used is AES-256. Compatible hyperscalers providing the infrastructure for Cumulocity are Azure, AWS and in China, Alibaba and Tencent.
Data-in-Transit
For data-in-transit, data can be encrypted. The encryption depends on the type of traffic or device. For example, Cumulocity IoT can encrypt REST and MQTT via TLS. The exact version of the protocol used for a connection depends on the negotiation between platform and device or user browser. Cumulocity IoT uses state-of-theart encryption protocols and ciphers for data in flight. TLS protocols and ciphers are under constant monitoring to identify weaknesses.
Continuous security monitoring
A dedicated SOC team monitors Cumulocity public cloud instances on a continuous basis. This team continuously investigates the alerts from all the security monitoring tools deployed on the platform.
The Cumulocity platform is graded A+ by SSL labs regarding Transport layer security. Learn more about the security aspect of the Cumulocity IoT platform on their website1.
References
1. https://cumulocity.com/docs/concepts/security/ 2. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
Danfoss Drives · BE523146459201en-000101 11
Contact us
Contact your local Danfoss experts
Learn more about DrivePro® Services
Any information, including, but not limited to information on selection of product, its application or use, product design, weight, dimensions, capacity or any other technical data in product manuals, catalogues descriptions, advertisements, etc. and whether made available in writing, orally, electronically, online or via download, shall be considered informative, and is only binding if and to the extent, explicit reference is made in a quotation or order confirmation. Danfoss cannot accept any responsibility for possible errors in catalogues, brochures, videos and other material. Danfoss reserves the right to alter its products without notice. This also applies to products ordered but not delivered provided that such alterations can be made without changes to form, fit or function of the product. All trademarks in this material are property of Danfoss A/S or Danfoss group companies. Danfoss and the Danfoss logo are trademarks of Danfoss A/S. All rights reserved.
BE523146459201en-000101
© Copyright Danfoss Drives | 2025.06
Documents / Resources
 |
Danfoss iC7-Series Remote Monitoring Cybersecurity [pdf] User Guide iC7-Series, iC2-Series, iC7-Series Remote Monitoring Cybersecurity, iC7-Series, Remote Monitoring Cybersecurity, Monitoring Cybersecurity, Cybersecurity |