Product cybersecurity

We combine engineering expertise with uncompromising cybersecurity. We develop and supply products that remain available even in critical situations and maintain their operational reliability. 

Right from the concept phase, we integrate defense in depth protection mechanisms that withstand current attack scenarios and are prepared for future threats.

Our IEC 62443-4-1 certified Security Development Lifecycle ensures that cybersecurity is not an add-on, but an integral part of every product development from the very beginning. 

We additionally have selected solutions tested and certified in accordance with relevant standards and classification requirements — including IEC 62443-3-3 and IACS E27—to foster transparency, comparability, and trust. 
 
Rolls-Royce Power Systems stands for products that our customers can rely on even under the most demanding conditions. To meet this standard and ensure consistently high availability, we continuously invest in leading-edge technology and robust, resilient product cybersecurity solutions. 
 

Our product cybersecurity services at Rolls-Royce Power Systems 

 We support our customers with a comprehensive, modular portfolio covering all aspects of product cybersecurity — from individual control units to complete system landscapes in real-world operational contexts. Our services are practical, scalable and focused on compliance and operational safety. 

Joint risk and security assessment

Together with our customers’ experts, we carry out structured risk and security analyses that assess the entire system within its specific operational environment. 
The result is actionable, prioritised protection concepts with a clear overview of responsibilities and measures.

Threat analyses

Working closely with our clients, we identify vulnerabilities, model attack scenarios and assess impacts and probabilities of occurrence. From this, we work to derive targeted, risk-based defence measures with our clients.

Specialised security testing

We offer tiered testing formats — ranging from focused vulnerability tests to comprehensive assessments of entire systems. These include, among others, Secure FAT (Factory Acceptance Test) and Secure SAT (Site Acceptance Test). These procedures test behaviour, communication flows and authentication under realistic conditions.

Vulnerability reporting, prioritisation and remediation support

On request, we implement customer-specific processes for reporting, prioritising and rectifying vulnerabilities — including structured communication and coordinated implementation.

Certification and compliance support

We assist with the testing and certification of selected solutions in accordance with relevant standards and classification requirements, and support the preparation of evidence and audit documentation.

Product cybersecurity - Vulnerability Disclosure Policy

The protection of our products, systems and facilities is a top priority for us.
We welcome reports of potential security vulnerabilities and value our collaboration with customers and external security researchers.

Scope of Policy


This policy applies to all products and systems we supply to customers, in both civil and military contexts. This includes complete systems, subsystems, software and customised solutions.  


Reports regarding commercial off-the-shelf (COTS) products in use are accepted. However, we recommend that vulnerabilities in such components are also reported directly to the respective manufacturer. 

Reporting vulnerabilities in our products 

Security-related reports (vulnerabilities or incidents) can be submitted via our web form.


To do so, please click here 

Encrypted transmission is available for subsequent communication. Receipt of a message will be confirmed. 

Handling of reports 
Incoming reports are reviewed and analysed. If further information is required, we will contact the person who submitted the report. Information regarding the progress of the case will be provided at our discretion and depending on the individual circumstances.
We support responsible security research and value the cooperative interaction between our own measures and the commitment of our product users. For us this collaboration represents of continuously improving the security of our systems genuine added value with the shared aim.
At the same time, we reserve the right against activities to take action that suggest, whether direct or indirect, harm, disruption or reports an intention to cause any other detriment to Power Systems.
Responsibly reported vulnerabilities are welcome — but abusive or harmful actions are not.

Expectations regarding reporting

We ask that vulnerabilities be described in a way that allows for analysis, for example by providing details of affected components, reproduction steps and potential impacts. Please provide a means of contact.  

We expect reported information to be treated confidentially and not disclosed publicly until a fix has been implemented or appropriate authorisation has been granted. 

Connect with Us

Customer Assistance Center

We are here to take your Sales & Service questions around the clock, 365 days a year.

Read more

Sales & Service Locator

Find your local partner for Sales & Service.

Read more

mtu Stories

Reports and interviews about mtu products and solutions.

Read more