Cyber Resilience Act (CRA) - no time to wait

00:00:04: Hello everybody and welcome to a new episode of our tech podcast by Bosch Rex Road.

00:00:08: My name is Robert Weber and today we are going to talk about the Cyber Resilience Act and Cyber Security and I invited two guests.

00:00:16: One guest is Michael Langfinger.

00:00:18: Michael, welcome to the podcast.

00:00:20: Hi, Robert.

00:00:20: And Sebastian Krauskopf.

00:00:22: Sebastian, welcome to the podcast.

00:00:24: Hey, Robert.

00:00:24: Nice to be here.

00:00:26: Before we start, please introduce yourself briefly to the listeners.

00:00:30: Michael, first please.

00:00:32: Yes, I'm the product owner of cybersecurity and also the product security officer of our business unit, automation and electrification.

00:00:41: So very long introduction.

00:00:44: So maybe let me split it up into the product owner part.

00:00:47: This means that my team and I, we are developing the base security framework of Contra XOS and as a product security officer.

00:00:56: I'm responsible for multiple topics, mostly ensuring that all the security requirements are fulfilled in our development, raising awareness in the company or in the business unit in this case, and also providing technical tools and methods to our colleagues.

00:01:12: Okay, thanks, Michael.

00:01:13: Sebastian.

00:01:14: Yeah, I'm the lead software architect with the focus of the control platforms of Controlix Automation.

00:01:19: So this means I'm responsible for the design of our control hardware, Controlix Core and our software platform, Controlix OS and the corresponding apps.

00:01:30: And at the same time, I take care of the software development process.

00:01:33: So that means the process of making software designs, creating architectural documentation, testing software and delivering software.

00:01:42: So cyber security and the cyber resilience as a huge topics in the whole industry.

00:01:47: From my point of view, modern automation system consists of large number of network connections, connected machines.

00:01:55: Industry four point O is a huge topic.

00:01:58: Cyber attacks in industry runs into billions of damage caused by cyber attacks.

00:02:02: And then we have some regulation topics, cyber resilience act for every product that can communicate with another.

00:02:11: product.

00:02:12: So when you talk to your customer, Sebastian, what are the biggest misconceptions when it comes to the cyber security and automation?

00:02:21: Well, at the beginning, many people for them, cyber security was only about encryption of communication protocols, but it was in their mind.

00:02:30: But of course, this is not sufficient.

00:02:32: As we all know, it's not only about the objective of privacy, but it's also about to improve the availability of an automation system or to ensure the platform integrity.

00:02:44: And also, assumption is often that security can be implemented in a single feature, in a single component, and then I'm done.

00:02:51: It's not so easy.

00:02:53: So it would be like saying if the security lock on my front door of my house is big enough, then I'm done.

00:03:01: But of course, this is not the case.

00:03:03: What are you tired of hearing?

00:03:06: I'm actually tired of hearing that cyber security is not part of my business.

00:03:11: I don't need to care about cyber security.

00:03:13: Do you

00:03:13: still hear that?

00:03:15: Yes, indeed.

00:03:15: We still have talks where we hear on the one side that it's not my deal or what we also often hear, but this is getting better is about people who not yet really looked into it, who just start to look into.

00:03:30: what does this mean for me.

00:03:32: But time is ticking, right?

00:03:34: Yes, that's true.

00:03:35: time is ticking.

00:03:36: In two thousand twenty seven, there will be the enforcement of the Cyber Resilience Act.

00:03:41: And I can only encourage everyone, every machine builder to really have a look into this to build a cybersecurity strategy to be prepared.

00:03:51: What are the biggest obstacles for your customers?

00:03:55: Actually,

00:03:56: where do they need help?

00:03:57: Maybe

00:03:58: the new thing for them is that the first time the security is something which affects the whole life cycle of the product of the machine.

00:04:09: So it does not end with the commissioning of the machine.

00:04:12: The machine is gone, sold to the customer, everything works, I'm done.

00:04:16: But now it still can be, there will be a vulnerability years after the machine has been deployed to the plant.

00:04:23: And you need to do a software update to fix a vulnerability even if the machine is working perfectly.

00:04:32: You mentioned already the Cyber Resilience Act in twenty seven.

00:04:35: Everybody needs to fulfill the regulation of the Cyber Resilience Act.

00:04:39: But the Cyber Resilience Act, is it a baseline?

00:04:42: or do you offer more to your customer when it comes to cybersecurity?

00:04:47: Well, the Cyber Resilience Act is the first time where we have a regulatory list of requirements that you need to fulfill in order to sell your product.

00:04:56: But of course, for us, cybersecurity is more.

00:04:59: Our ambition is also to provide more than what the Cyber Resilience Act requires.

00:05:05: This means we have additional apps, we have additional features, which really go beyond the Cyber Resilience

00:05:10: Act.

00:05:10: Michael, can you go a little bit deeper?

00:05:11: What means beyond?

00:05:14: Yeah, of course, when we started developing Contrax OS, the Cyber Resilience Act was not even... Yeah, nobody could foresee that, obviously.

00:05:22: So this has not been on our mind.

00:05:24: But of course, we had to, for example, align to already existing standards.

00:05:29: to mention one would be the IC six to four, four, three, to which we have also certified our contract.

00:05:34: So as so we have already by different this case.

00:05:40: So we we have quite some requirements already fulfilled on the one hand side.

00:05:46: But of course, Yeah, as Sebastian mentioned, the ambition is not to only fulfill the bare minimum that you must fulfill to bring a product to the market, but to offer our customers solutions that they can use to improve their security as well so that they can profit from our expertise.

00:06:01: Can

00:06:01: you share three?

00:06:03: Yeah, of course, for example, the base system brings a lot of security functionalities already now that there are more than the CRA demands where you can benefit from, for example, if you use control XOS.

00:06:15: on your device, if you sell a device with ContraXOS, or if you use it in your machine, even if you are developing an app for that.

00:06:22: So, yeah, we have lots of benefits for different stakeholders, let's say.

00:06:27: You have different stakeholders.

00:06:28: That's important, I think, because you have maybe four stakeholders, right?

00:06:33: Yeah, around about, I would say.

00:06:34: I mean, in the end, obviously, the one that operates the machine is also a stakeholder for us.

00:06:39: And as already mentioned, yeah, app developers.

00:06:42: machine builders, other vendors selling the products and they benefit from different functions that we provide.

00:06:50: How have you prepared for the Cyber Resilience Act, Sebastian?

00:06:57: Well, actually, even before the Cyber Resilience Act came up, cybersecurity was a very important topic for us.

00:07:04: Controlx OS and Controlx Core are new platforms, pretty new platforms.

00:07:09: And our goal, our ambition was to create an automation product which combines the robustness and the performance of an OT device with the flexibility and the connectivity of an IT device.

00:07:22: So it was pretty clear for us that cybersecurity isn't important, so to say, architectural driver.

00:07:30: Cyber security by design.

00:07:32: So we started right from the beginning with a secure engineering process.

00:07:38: We analyzed threats and risk, implemented countermeasures.

00:07:42: We applied principles like the defense in depth principle, which means that we have multiple layers of defense mechanisms.

00:07:53: Like you can think of an onion in order to harden the system and to make it as secure as possible.

00:07:59: Is that a USP you can sell on the market?

00:08:02: Yes, definitely.

00:08:03: We think so.

00:08:04: There is room and there are applications which highly benefit for it.

00:08:08: I mean, in the end, it's about creating availability to improve the overall availability of your system.

00:08:16: And we see that the threats and the risks, they increase.

00:08:22: When we talk about Cyber Resilience Act, it's not about a product, right?

00:08:27: It's about the competence to build products.

00:08:30: on the regulation.

00:08:32: Yeah, exactly.

00:08:33: You do it once, for example, and you're done.

00:08:35: I mean, Sebastian mentioned a lot of very important topics that, of course, have to be covered, especially coming back, for example, the defense in depth approach, which means that to identify which layer of protection you need to implement, you have to think like an attacker.

00:08:50: So this is something I would say.

00:08:52: How

00:08:52: difficult is that for you and your team to think like an attacker?

00:08:56: I mean, if you design your system from scratch based on such assumptions.

00:09:01: you get used to that and it's part of your daily work.

00:09:04: But if you have not in the past considered this in a product development, and I would assume that a lot of companies have not done this yet and are not doing this today, then it's increasingly difficult to think so.

00:09:15: But this is one important competence that you have to learn as a company now and you have to keep on learning that.

00:09:22: So it must be part of your daily business to implement this in your daily work, let's say.

00:09:30: As one example, of course, you have to follow your secure coding guidelines, but it's more than just developing something, concentrating on one product or so.

00:09:39: It's more, it's the whole life cycle you have to cover and you have to think of this whole life cycle at the very beginning when you start developing the product to have in mind that later on you must provide patches.

00:09:51: You must have all these processes in place you need.

00:09:54: Everything's the best you mentioned.

00:09:55: So this is a huge paradigm shift, I would say.

00:09:59: Come back to your products.

00:10:01: You already mentioned controlled XOS.

00:10:04: It's a Linux based operating system.

00:10:06: So it's an open source based system.

00:10:08: It's also a security topic, right?

00:10:10: To rely on an open source project.

00:10:13: Yeah, of course.

00:10:13: I mean, for almost all open source projects, they have been reviewed by lots and lots of people over the time.

00:10:20: I mean, we're talking about projects like the Linux kernel or open SSL or similar projects.

00:10:26: They are not some smaller projects done by one or two people.

00:10:28: Those are huge projects used by huge companies.

00:10:31: So.

00:10:32: Of course, you benefit from the experience that's there in those projects.

00:10:37: And this is also something that's important.

00:10:39: We do not want to reinvent the wheel.

00:10:40: We want to base on established, secure standards.

00:10:44: Establish IT standards.

00:10:46: Yeah, exactly.

00:10:47: That's what Sebastian, I think, mentioned before.

00:10:50: It's this kind of these worlds that already have started to merge, right?

00:10:54: The OT and the IT, you cannot separate them anymore.

00:10:58: And our goal is to use the benefits of the IT technologies also in the OT world.

00:11:04: And this, to my understanding, also involves all the security aspects, which have not been a top priority in the past in OT.

00:11:13: Control X core is your control platform.

00:11:16: What is the added value in terms of security when it comes to control X

00:11:21: core?

00:11:22: I mean, what you get is apart from obviously the software contracts as running on it.

00:11:28: You get hardware, which, for example, has a mechanism in place where you can detect whether the case or the housing has been opened.

00:11:36: And of course, you can use it.

00:11:37: It's an industrial grade hardware.

00:11:39: You can use it to, for example, build your own security gateway based on the contract score, allowing you, in this case, as a machine builder to secure your whole machinery.

00:11:50: So you have

00:11:51: also existing

00:11:51: machines.

00:11:52: Yes, of course.

00:11:53: That's the idea behind it.

00:11:54: Okay.

00:11:54: You.

00:11:55: have a very flexible modular system which brings everything with it and which you can further extend to realize the security gateway in this case as an example.

00:12:04: You want to add something Sebastian?

00:12:05: Yeah,

00:12:06: basically with Controlix Core you have an out of the box solution, a hardware software platform which is out of the box, security certified and you can start using it, building your application right out of the box.

00:12:18: Let's talk a little bit about updates and patches.

00:12:21: What happens in the future?

00:12:23: What happens?

00:12:25: When you have to update your machine, when you have to deliver patches, how do you do that?

00:12:31: I mean, patches and updates, they are increasingly important because

00:12:35: it's a security risk too, right?

00:12:38: Yeah, of course.

00:12:38: I mean, in the past, there was always the thinking I've now developed my machine.

00:12:43: I have shipped it to the customer and it's securely stashed away somewhere in some factory.

00:12:48: And it's not connected to the internet.

00:12:50: So everything is fine.

00:12:51: Exactly.

00:12:52: That's what the.

00:12:53: the perfect world, which I, in my opinion, never existed, but this was the assumption.

00:12:58: And nowadays, you want to connect those devices.

00:13:01: You want to get data out of them.

00:13:03: You want to work with this data, yeah, with AI model, things like that.

00:13:06: You want to process the data, so you have to connect there.

00:13:08: And then, of course, those devices must be secure as well.

00:13:12: And to keep them secure, I mean, they can be secure, but the moment you ship them, It can happen and it happens on a daily basis that somebody discovers a vulnerability and then you're forced,

00:13:24: which is good.

00:13:25: Yeah, of course.

00:13:25: That's a good thing.

00:13:26: So, but then you as a vendor, you're forced to provide those patches as soon as possible.

00:13:32: How

00:13:32: fast do you need to deliver them?

00:13:34: I mean, it depends.

00:13:35: The CRA in this case, for example, just states that if you're becoming aware of the vulnerability that's being exploited, then you have to react very quickly.

00:13:44: So you have to give a first analysis, I would say, in twenty four hours even.

00:13:48: So that's very quick.

00:13:50: I mean, of course.

00:13:51: Before you're able to actually ship updates, that takes a while.

00:13:54: You have to test them, but you have to also provide to your customers the information, okay, what can they do until the patch is available, for example.

00:14:02: So that's more than just providing the technical patch.

00:14:07: Yeah,

00:14:07: and I mean, our part here is to make the life easier for our customers.

00:14:10: I mean, think how you applied patches back then in Windows ninety-five and how easy how automatically this is now done on your smartphone.

00:14:18: And the same is true for ControlX OS, where we apply basically security patches as simple as on your smartphone.

00:14:24: I mean, we even provide the portal for you if you want to use that.

00:14:28: The ControlX device portal in this case allows you to deploy and shippages easily to your machines as a fleet management, defining when you want to distribute them, update them.

00:14:38: So you can have this in a very easy way.

00:14:41: But if you say, no, that's not what I want to do.

00:14:43: I want to integrate this into my own update management tooling.

00:14:48: That's also no problem because the interfaces are there.

00:14:50: They are open.

00:14:51: You can use them easily.

00:14:53: Can you please share what are your

00:14:56: too

00:14:57: big misconceptions or errors in reasoning when it comes to the Cyber Resilience Act, maybe two of Michael, one of Sebastian.

00:15:05: What are the biggest misconceptions?

00:15:08: I mean, what I often hear is, yeah, I can be relaxed because it does not affect me.

00:15:13: I'm just providing the sensor here that grabs some digital data and transforms them.

00:15:19: But that's actually not the case.

00:15:21: I mean, also sensor is a digital component.

00:15:23: So I have to take care of that as well.

00:15:26: Sebastian, you want to share your biggest misconception?

00:15:29: The biggest misconception is at the moment that there is still time left.

00:15:34: This is not true.

00:15:34: The clock is ticking.

00:15:36: You have to get your cybersecurity strategy now.

00:15:39: You need to be prepared.

00:15:40: Twenty, twenty seven, the regulatory will go live.

00:15:45: So we talked a lot about the Cyber Resilience Act.

00:15:48: What

00:15:48: do you

00:15:49: offer to machine building companies with?

00:15:52: a whole existing machine park when it comes to cybersecurity.

00:15:56: Is there also solutions for them?

00:15:59: Yeah, of course.

00:16:00: And that's one thing I like a lot about control XOS.

00:16:03: And in this case, the control X core, because you can realize so many different use cases.

00:16:09: In this case, talking about machine builders or existing machines, what you often need.

00:16:15: I'm already now is a security gateway.

00:16:18: So why not take your contract score and make a security gateway out of it using the existing apps?

00:16:24: So you have this solution bundle, let's say, which is combined of the firewall app, the VPN app, and the security scanner, for example, that you can use to place it at the edge of your machine to protect all the components that are legacy components, brownfield devices that are not secure.

00:16:40: So you use the firewall to protect access to them, to control data that is transmitted there.

00:16:47: You have your VPN for secure remote maintenance.

00:16:50: And in this case, you take the security scanner and you can even use that to have an overview about all the components in there.

00:17:00: And especially not only an overview, you get a detailed overview about the security status.

00:17:05: So you can easily determine, hey, there is suddenly a new device in there.

00:17:10: There is a device doing things I do not expect.

00:17:12: And you get a result as a really good comprehensive report that can also be... read and interpreted by, let's say, a non-expert, somebody not from the field of cybersecurity.

00:17:25: At the end, Michael, let's talk about your favorite security features apps.

00:17:31: when it comes to Control-X Core.

00:17:34: I would say one of the biggest features that I really like is the flexibility and the choices that I have when using Control-X OS in this case.

00:17:44: For example, with the security apps, I can install contracts on my device or I take a contract score and then I can decide what I'm going to do with it.

00:17:53: For example, I could decide.

00:17:55: I take the security scanner and I use this to make an inventory of my machine.

00:18:01: So then I have a nice looking, easy readable report even for somebody which is not a security expert.

00:18:08: And I'm very quickly able to determine whether I might have a problem in my machine or not.

00:18:13: So it's extremely simple to fulfill such a use case.

00:18:16: And Sebastian, what are your favorite security features or apps?

00:18:20: I think my highlight is actually how nicely it integrates and how good the ease of use over all ease of use still is of the system.

00:18:29: Often I hear the misconception that security would be bad for also for the performance of a system or it would be bad for the usability of the system.

00:18:38: And I think my highlight is that it really nicely integrates in the overall experience without getting in your way of being productive.

00:18:47: Thank you.

00:18:47: That is a good ending.

00:18:48: Thanks a lot, Michael.

00:18:49: Thanks a lot, Sebastian, for talking, for explaining our Cyber Security Cyber Surveillance Act and everything around this whole big topic when it comes to industrial automation.

00:18:59: Thanks a lot.

00:19:00: Thank you, it was a pleasure.

00:19:01: Thank

00:19:02: you, Robert.