The cyberattack did not start in a data center or through a compromised server. It started with something far less obvious: a connected fish tank.

At a North American casino, operations were running as expected. Systems were monitored, networks were secured, and cybersecurity measures were in place – at least where they were assumed to be relevant. In the lobby, however, there was a smart aquarium equipped with sensors to control temperature, feeding cycles, and water quality. Like many Internet of Things (IoT) devices, it was connected to the network and transmitted data externally.

Attackers identified this device as a weak point. They used it to gain access to the network, moved laterally through the infrastructure, and eventually accessed sensitive data. The breach went unnoticed at first because the point of entry was not considered critical.

What makes this example so relevant is not how unusual it is, but how typical it has become. In connected environments, vulnerabilities often emerge in places that were never designed with cybersecurity in mind. The full extent of the damage was never publicly disclosed.

Changing Attack Surfaces

The shift from isolated IT systems to connected products and ecosystems has fundamentally changed the role of cybersecurity. It is no longer limited to protecting internal IT systems but extends to products, services, and entire value chains.

Customers expect secure products, business partners demand transparency, and regulators are turning previously voluntary practices into enforceable requirements. As a result, cybersecurity has moved from an operational concern to a strategic one. Many organizations still underestimate how broadly these requirements apply. Cybersecurity is no longer tied to specific industries. Instead, what matters is whether a product connects, communicates, or processes data. Europe makes this shift particularly explicit through the Cyber Resilience Act (CRA). Any product with digital elements placed on the EU market is likely to fall within its scope. A connected household device, an industrial component, or a digitally enhanced accessory can all become subject to the same fundamental expectations.

Global Cybersecurity Regulation: Fragmented, Layered, and Evolving

Looking beyond Europe, the global picture becomes more complex. In the United States, cybersecurity is largely shaped by frameworks such as NIST, which provide guidance while leaving room for interpretation. China follows a far more prescriptive model, with strict requirements and certification schemes under regulations such as the Cybersecurity Law and MLPS 2.0. Other regions, including Japan, South Korea, and India, are developing hybrid approaches that combine regulatory frameworks with industrydriven initiatives.

Despite these differences, most cybersecurity regulations follow a similar underlying logic. They shift responsibility toward the product, require structured risk management, and increasingly demand proof that security measures are effective in practice.

Layered Regulation, Shared Responsibility
Figure 1: Cybersecurity regulation around the globe

Layered Regulation, Shared Responsibility

At the same time, regulations are structured along another dimension. In the automotive sector, for example, vertical regulations such as UNECE R155 and GB 44495 require manufacturers to establish and maintain cybersecurity management systems across the vehicle lifecycle, supported by standards such as ISO/SAE 21434. In the medical sector, the Medical Device Regulation (MDR) integrates cybersecurity directly into product safety and approval processes.

Horizontal regulations, by contrast, apply across sectors. The Cyber Resilience Act defines baseline requirements for connected products where no stricter domain-specific rules exist.

In practice, these layers often overlap. A company may need to comply with both industry-specific and cross-sector requirements at the same time, depending on its products and markets.

Importantly, these requirements do not stop at the manufacturer. They extend across the value chain. Suppliers, integrators, and platform providers are increasingly expected to provide evidence of cybersecurity measures, regardless of their formal role. In practice, cybersecurity responsibility follows the product – not the organization.

From Compliance to Real Security

In response to increasing regulation, many organizations default to compliance – defining processes, creating documentation, and meeting formal requirements. While necessary, this alone does not ensure security. Documentation describes intent, not how systems behave under real-world conditions.

And this is the core issue: Cyberattacks do not follow processes. They exploit weaknesses that emerge from complexity, integration, and unexpected interactions. Systems can be fully compliant and still vulnerable, which is why continuous validation is essential.

In reality, organizations face a combination of challenges:

  • Legacy systems that were never designed for today’s threat landscape, yet remain connected and operational and must be secured within their constraints
  • Growing system complexity, with products evolving over years and integrating multiple technologies
  • Distributed development and testing, spread across teams, suppliers, and global environments
  • Fragmented visibility, with results scattered across tools and organizations
  • High testing costs, especially for hardware-heavy setups or one-off penetration tests
  • Late issue detection, making fixes expensive and difficult to implement

A platform like HydraVision addresses these challenges by enabling continuous, automated, and traceable testing. Instead of isolated checks, systems can be validated continuously against evolving vulnerabilities and regulatory requirements.

Figure 2: HydraVision scheme and integratin with the dSPACE tool chain

HydraVision connects multiple stakeholders across the globe on a unified platform. Development, integration, and validation no longer happen in one place but are distributed across teams, suppliers, and partners worldwide. Making this work requires shared environments and a common view, ensuring that everyone operates on the same basis.

Hydra Vision also creates transparency. Standardizing testing ensures consistent and comparable results, giving organizations a reliable and auditable view of their security posture. This is further supported by an extensive test case library with over 100 reusable templates, providing a practical starting point for tailored testing scenarios. Traditionally, scaleability and cost have been key concerns for organizations. Hardware-heavy test setups and one-off penetration tests are difficult to scale and expensive to maintain.

Platform-based solutions enable continuous validation at lower cost and integrate security testing into everyday development. This supports a shift toward addressing vulnerablities earlier in the lifecycle, commonly referred to as "shift left." 

Ultimately, this turns cybersecurity from a reactive effort into a manageable systen - enabling organizations not only to meet regulatory expectations but also to steer security proactively as part of their overall strategy. With dissecto joining dSPACE, flexibility in the test execution will grow even stronger. Users will be able to roll out their security tests to SCALEXIO HIL and VEOS SIL environments via HydraVision. This coupling allows for consistent security validation across multiple test stages while maintaining a single source of test intent and evidence.

Visit the dissecto website

Making Complexity Visible
Figure 3: HydraVision dashboard

Making Complexity Visible

To gain a clear understanding of the security posture across systems, products, and markets, decision-makers require visibility and transparency. HydraVision provides a unified view across systems and teams. Instead of fragmented insights, it offers a consistent picture of the current security state. Centralized visibility reduces friction and improves alignment. 

 

 

 

 

dSPACE MAGAZINE, PUBLISHED JULY 2026

dSPACE direct 뉴스레터 서비스를 통해 최신 소식을 받아보세요.

dSPACE 뉴스레터 서비스를 통해 최신 use case 와 신규 솔루션 및 제품, 교육 및 이벤트에 대한 정보를 지속적으로 확인하세요. 여기에서 무료 로구독을 신청하세요.

Enable form call

At this point, an input form from Click Dimensions is integrated. This enables us to process your newsletter subscription. The form is currently hidden due to your privacy settings for our website.

External input form

By activating the input form, you consent to personal data being transmitted to Click Dimensions within the EU, in the USA, Canada or Australia. More on this in our privacy policy.