Cyber Resilience Act (CRA) - no time to wait

00:00:00: Hello, everybody and welcome to a new episode of our tech podcast by Bosch Rexroth.

00:00:08: My name is Robert Weber and today we are going to talk about the Cyber Resilience

00:00:12: Act and Cyber Security and I invited two guests.

00:00:17: One guest is Michael Langfinger.

00:00:18: Michael, welcome to the podcast.

00:00:20: Hi, Robert.

00:00:21: And Sebastian Krauskopf.

00:00:22: Sebastian, welcome to the podcast.

00:00:24: Hey, Robert.

00:00:25: Nice to be here.

00:00:26: Before we start, please introduce yourself briefly to the listeners.

00:00:30: Michael, first, please.

00:00:32: Yes, I'm the product owner of Cyber Security and also the product security officer of our

00:00:38: business unit, automation and electrification.

00:00:41: So very long introduction.

00:00:44: So maybe let me split it up into the product owner part.

00:00:47: This means that my team and I, we are developing the base security framework of Control XOS

00:00:54: and as a product security officer, I'm responsible for multiple topics, mostly ensuring that

00:01:00: all the security requirements are fulfilled in our development, raising awareness in the

00:01:05: company or in the business unit in this case and yes, also providing technical tools and

00:01:10: methods to our colleagues.

00:01:12: Okay.

00:01:13: Thanks, Michael.

00:01:14: Sebastian.

00:01:15: Yeah, I'm the lead software architect with the focus of the control platforms of Contra

00:01:18: X automation.

00:01:19: So this means I'm responsible for the design of our control hardware, Control X core and

00:01:24: our software platform, Control X OS and the corresponding apps.

00:01:30: And at the same time, I take care of the software development process.

00:01:33: So that means the process of making software designs, creating architectural documentation,

00:01:39: testing software and delivering software.

00:01:42: So Cyber Security and the Cyber Resilience are huge topic in the whole industry.

00:01:47: From my point of view, modern automation system consists of large number of network connections,

00:01:53: connected machines, industry 4.0 is a huge topic.

00:01:58: Cyber attacks in industry runs into billions of damage caused by cyber attacks and then

00:02:03: we have some regulation topic, Cyber Resilience Act for every product that can communicate

00:02:10: with another product.

00:02:12: So when you talk to your customer, Sebastian, what are the biggest misconceptions?

00:02:17: When it comes to the cyber security in automation?

00:02:20: Well, at the beginning, many people for them, Cyber Security was only about encryption of

00:02:27: communication protocols, what it was in their mind.

00:02:30: But of course, this is not sufficient.

00:02:32: As we all know, it's not only about the objective of privacy, but it's also about to improve

00:02:38: the availability of an automation system or to ensure the platform integrity.

00:02:44: And also an assumption is often that security can be implemented in a single feature in

00:02:49: a single component and then I'm done.

00:02:51: It's not so easy.

00:02:53: So it would be like saying if the security lock on my front door of my house is big enough,

00:03:00: then I'm done.

00:03:01: But of course, this is not the case.

00:03:03: What are you tired of hearing?

00:03:05: I'm actually tired of hearing that Cyber Security is not part of my business.

00:03:11: I don't need to care about Cyber Security.

00:03:13: Do you still hear that?

00:03:14: Yes, indeed.

00:03:16: We still have talks where we hear on the one side that it's not my deal or what we also

00:03:22: often hear, but this is getting better is about people who not yet really looked into

00:03:28: it, who just start to look into what does this mean for me.

00:03:32: But time is ticking, right?

00:03:33: Yes, that's true.

00:03:35: Time is ticking.

00:03:36: In 2027, there will be the enforcement of the Cyber Resilience Act and I can only encourage

00:03:43: everyone, every machine builder to really have a look into this, to build a Cyber Security

00:03:48: strategy to be prepared.

00:03:51: What are the biggest obstacles for your customers?

00:03:55: Actually where do they need help?

00:03:58: The new thing for them is that the first time the security is something which affects the

00:04:05: whole life cycle of the product of the machine.

00:04:09: So it does not end with the commissioning of the machine.

00:04:12: The machine is gone, sold to the customer, everything works, I'm done.

00:04:16: But now it still can be, there will be a vulnerability years after the machine has been deployed to

00:04:22: the plant and you need to do a software update to fix a vulnerability even if the machine

00:04:30: is working perfectly.

00:04:32: You mentioned already the Cyber Resilience Act in 27, everybody needs to fulfill the

00:04:36: regulation of the Cyber Resilience Act.

00:04:39: But the Cyber Resilience Act, is it a baseline or do you offer more to your customer when

00:04:44: it comes to Cyber Security?

00:04:47: Well the Cyber Resilience Act is the first time where we have a regulatory list of requirements

00:04:53: that you need to fulfill in order to sell your product.

00:04:57: But of course for us Cyber Security is more, our ambition is also to provide more than what

00:05:03: the Cyber Resilience Act requires.

00:05:05: This means we have additional apps, we have additional features which really go beyond

00:05:09: the Cyber Resilience Act.

00:05:10: Michael, can you go a little bit deeper, what means "beyond"?

00:05:13: Yeah, of course when we started developing Control X OS, the Cyber Resilience Act was not

00:05:19: even, nobody could foresee that obviously.

00:05:22: So this has not been on our mind.

00:05:24: But of course we had to for example align to already existing standards to mention one

00:05:29: would be the IEC62443, to which we have also certified our Control X OS.

00:05:35: So we have already.. certified by who?

00:05:38: By TÜV in this case.

00:05:40: So we have quite some requirements already fulfilled on the one hand side.

00:05:46: But of course, as Sebastian mentioned, the ambition is not to only fulfill the bare minimum

00:05:52: that you must fulfill to bring your product to the market, but to offer our customers

00:05:57: solutions that they can use to improve their security as well, so that they can profit from

00:06:00: our expertise.

00:06:01: Can you share three?

00:06:02: Yeah, of course, for example, the base system brings a lot of security functionalities already

00:06:08: now that are more than the CRA demands where you can benefit from, for example, if you

00:06:14: use Control X OS on your device, if you sell a device with Control X OS, or if you use it in

00:06:19: your machine, even if you are developing an app for that.

00:06:23: So yeah, we have lots of benefits for different stakeholders, let's say.

00:06:27: You have different stakeholders.

00:06:28: That's important, I think, because you have maybe four stakeholders, right?

00:06:32: Yeah, around about, I would say.

00:06:34: I mean, in the end, obviously, the one that operates the machine is also a stakeholder

00:06:38: for us.

00:06:39: And as already mentioned, app developers, machine builders, other vendors, selling the

00:06:45: products, and they, like I said, they benefit from different functions that we provide.

00:06:50: How have you prepared for the Cyber Resilience Act, Sebastian?

00:06:57: Well, actually, even before the Cyber Resilience Act came up, Cyber Security was a very important

00:07:03: topic for us.

00:07:05: Control X OS and Control X Core are new platforms, pretty new platforms.

00:07:10: And our goal, our ambition was to create an automation product which combines the robustness

00:07:16: and the performance of an OT device with the flexibility and the connectivity of an IT

00:07:21: device.

00:07:22: So it was pretty clear for us that Cyber Security is an important, so to say, architectural

00:07:28: driver.

00:07:29: Cybersecurity by design.

00:07:31: Cybersecurity by design.

00:07:33: So we started right from the beginning with a secure engineering process.

00:07:38: We analyzed threats and risk, implemented countermeasures.

00:07:42: We applied principles like the defense in depth principle, which means that we have multiple

00:07:48: layers of defense mechanisms, like you can think of an onion, or in order to harden the

00:07:56: system and to make it as secure as possible.

00:07:59: Is that a USP you can sell on the market?

00:08:02: Yes, definitely.

00:08:03: We think so.

00:08:04: There is room and there are applications which highly benefit for it.

00:08:08: I mean, in the end, it's about creating availability to improve the overall availability of your

00:08:15: system.

00:08:16: And we see that the threats and the risk, they increase.

00:08:20: Michael, when we talk about Cyber Resilience Act, it's not about a product, right?

00:08:27: It's about the competence to build products on the regulation.

00:08:31: Yeah, exactly.

00:08:33: You do it once, for example, and you're done.

00:08:35: I mean, Sebastian mentioned a lot of very important topics that, of course, have to

00:08:39: be covered, especially coming back, for example, the defense in depth approach, which means

00:08:44: that to identify which layer of protection you need to implement, you have to think like

00:08:49: an attacker.

00:08:50: So this is something I would say that's...

00:08:52: How difficult is that for you and your team to think like an attacker?

00:08:56: I mean, if you design your system from scratch based on such assumptions, you get used to

00:09:02: that and it's part of your daily work.

00:09:04: But if you have not in the past considered this in a product development, and I would

00:09:08: assume that a lot of companies have not done this yet and are not doing this today, then

00:09:12: it's increasingly difficult to think so.

00:09:15: But this is one important competence that you have to learn as a company now, and you

00:09:20: have to keep on learning that.

00:09:22: So it must be part of your daily business to implement this in your daily work, let's

00:09:28: say.

00:09:29: So as one example, of course, you have to follow your secure coding guidelines, but it's more

00:09:35: than just developing...

00:09:36: something concentrating on one product or so.

00:09:39: It's, it's more, it's the whole life cycle you have to cover and you have to think of

00:09:43: this whole life cycle at the very beginning when you start developing the product to

00:09:48: have in mind that later on you must provide patches.

00:09:51: You must to have all these processes in place you need everything Sebastian mentioned.

00:09:55: So this is a huge paradigm shift, I would say.

00:09:58: I want to come back to your products.

00:10:01: You already mentioned Control X OS.

00:10:03: It's a Linux based operating system.

00:10:06: So it's an open source based system.

00:10:08: It's also a security topic, right?

00:10:10: To rely on an open source project.

00:10:12: Yeah, of course.

00:10:13: I mean, for almost all open source projects, they have been refued by lots and

00:10:19: lots of people over the time.

00:10:20: I mean, we're talking about projects like the Linux kernel or open SSL or similar projects.

00:10:25: They are not some smaller projects done by one or two people.

00:10:28: Those are huge projects used by huge companies.

00:10:31: So of course you benefit from the experience that's there in those projects.

00:10:36: And this is also something that's important.

00:10:38: We do not want to reinvent the wheel.

00:10:40: We want to base on established secure standards.

00:10:44: Establish IT standards.

00:10:46: Yeah, exactly.

00:10:47: I think that's what Sebastian I think mentioned before.

00:10:49: It's this kind of these worlds that already have started to merge, right?

00:10:54: The OT and the IT, you cannot separate them anymore.

00:10:58: And our goal is to use the benefits of the IT technologies also in the OT world.

00:11:03: And this, to my understanding, also involves all the security aspects, which

00:11:09: yeah, have not been a top priority in the past in OT.

00:11:12: Control X core is your control platform.

00:11:16: What is the added value in terms of security when it comes to control X core?

00:11:21: I mean, what you get is a part from obviously the software contracts as running on it.

00:11:28: You get hardware, which, for example, has a mechanism in place where you can detect

00:11:33: whether the case or the housing has been opened.

00:11:35: And of course you can use it.

00:11:37: It's an industrial grade hardware.

00:11:39: You can use it to, for example, build your own security gateway based on the control

00:11:44: X core, allowing you, in this case, as a machine builder to secure your whole machinery.

00:11:49: So you have also existing machines.

00:11:52: Yes, of course.

00:11:53: That's the idea behind it.

00:11:54: Okay.

00:11:54: You have a very flexible modular system, which brings everything with it and which

00:11:59: you can further extend to realize the security gateway in this case as an example.

00:12:04: You want to add something Sebastian?

00:12:05: Yeah, basically with control X core, you have an out of the box solution, a hardware

00:12:09: software platform, which is out of the box security certified.

00:12:12: And you can start using it, building your application right out of the box.

00:12:17: Let's talk a little bit about updates and patches.

00:12:21: What happens in the future?

00:12:23: What happens 27 when you have to update your machine, when you have to deliver patches?

00:12:29: How do you do that?

00:12:30: I mean, patches and updates, they are increasingly important because it's a security risk too.

00:12:37: Right?

00:12:37: Yeah, of course.

00:12:38: I mean, in the past, there was always the thinking I've now developed my, my machine.

00:12:43: I have shipped it to the customer and it's securely stashed away somewhere in some factory.

00:12:48: And it's not connected to the internet.

00:12:50: So everything is fine.

00:12:51: Exactly.

00:12:51: That's what's the, the perfect world, which I, in my opinion, never existed, but this

00:12:57: was the assumption.

00:12:58: And nowadays you want to connect those devices.

00:13:01: You want to get data out of them.

00:13:03: You want to work with this data, yeah, with AI model, things like that.

00:13:06: Do you want to process the data?

00:13:07: So you have to connect there.

00:13:08: And then of course, those devices must be secure as well.

00:13:12: And to keep them secure.

00:13:14: I mean, they can be secure, but the moment you ship them, it can happen.

00:13:19: And it happens on a daily basis that somebody discovers a vulnerability and then you're

00:13:23: forced.. which is good.

00:13:24: Yeah, of course.

00:13:25: That's a good thing.

00:13:26: So, but then you as a vendor, you're forced to provide those patches as soon as possible.

00:13:32: How fast do you need to deliver them?

00:13:34: I mean, it depends.

00:13:35: The CRA in this case, for example, just states that if you're becoming aware of an

00:13:40: availability that's being exploited, then you have to react very quickly.

00:13:44: So you have to give a first analysis, I would say in 24 hours even.

00:13:48: So that's very quick.

00:13:49: I mean, of course, we're able to actually ship updates that takes a while.

00:13:54: You have to test them, but you have to also provide to your customers the information.

00:13:59: Okay, what can they do until the patches were available, for example?

00:14:02: So that's more than just providing the technical patch.

00:14:05: And so, yeah.

00:14:07: Yeah.

00:14:07: And I mean, our part here is to make the life easier for our customers.

00:14:10: I mean, think how you applied patches back then in Windows 95 and how easy, how

00:14:15: automatically this is now done on your smartphone.

00:14:17: And the same is true for Control-X OS, where we apply basically security patches as

00:14:22: simple as on your smartphone.

00:14:24: I mean, we even provide the portal for you if you want to use that.

00:14:28: The Control X device portal in this case allows you to deploy and ship patches

00:14:32: easily to your machines as a fleet management, defining when you want to

00:14:36: distribute them, update them.

00:14:38: So you can have this in a very easy way.

00:14:40: But if you say no, that's not what I want to do.

00:14:43: I want to integrate this into my own update management tooling.

00:14:48: That's also no problem because the interfaces are there.

00:14:50: They are open.

00:14:51: You can use them easily.

00:14:53: Can you please share what are your two big misconceptions or errors in reasoning

00:15:00: when it comes to the Cyber Resilience Act?

00:15:02: Maybe two of Michael, one of Sebastian.

00:15:05: What are the biggest misconceptions?

00:15:07: I mean, what I often hear is, yeah, I can be relaxed because it does not affect me.

00:15:13: I'm just providing the sensor here that grabs some digital data and transforms them.

00:15:18: But that's actually not the case.

00:15:21: I mean, also sensor is a digital component.

00:15:23: So I have to take care of that as well.

00:15:25: Sebastian, you want to share your biggest misconception?

00:15:28: The biggest misconception is at the moment that there is still time left.

00:15:33: This is not true.

00:15:34: The clock is ticking.

00:15:35: You have to get your cybersecurity strategy.

00:15:38: Now you need to be prepared.

00:15:40: Twenty twenty seven, the regulatory will go live.

00:15:44: So we talked a lot about the Cyber Resilience Act.

00:15:47: What do you offer to machine building companies with a whole existing machine

00:15:54: park when it comes to cybersecurity?

00:15:56: Is there also solutions for them?

00:15:58: Yeah, of course.

00:16:00: And that's one thing I like a lot about Control X OS.

00:16:03: And in this case, Control X Core, because you can realize so many different use cases.

00:16:09: And this case, talking about machine builders or existing machines, what you often need

00:16:14: I'm already know is a security gateway.

00:16:17: So why not take your Control X Core and make a security gateway out of it using the existing apps?

00:16:23: So you have this solution bundle, let's say, which is combined of the firewall app,

00:16:29: the VPN app and the security scanner, for example, that you can use to

00:16:33: place it at the edge of your machine to protect all the components that are

00:16:37: at the legacy components, brownfield devices that are not secure.

00:16:40: So yeah, use the firewall to protect access to them to control data that is transmitted there.

00:16:47: You have your VPN for security mode maintenance.

00:16:50: And you, in this case, you take the security scanner and you can even use that to have

00:16:56: an overview about all the components in there.

00:17:00: And especially not only an overview, you get a detailed overview about the security status.

00:17:04: So you can easily determine, hey, there is suddenly a new device in there.

00:17:09: There is a device doing things I do not expect.

00:17:12: And you get a result as a really good comprehensive report that can also be read

00:17:19: and interpreted by, let's say, a non expert, somebody not from the field of cybersecurity.

00:17:25: At the end, Michael, let's talk about your favorite security features apps when it

00:17:31: comes to control X core.

00:17:33: I would say one of the biggest features that I really like is the flexibility and the

00:17:39: choices that I have when using Control X OS in this case.

00:17:43: So, for example, with the security apps, I can install Control X OS on my device or I

00:17:49: take a Control X Core and then I can decide what I'm going to do with it.

00:17:53: For example, I could decide I take the security scanner and I use this to make

00:17:59: an inventory of my machine.

00:18:01: So then I have a nice looking, easy readable report even for somebody

00:18:06: which is not a security expert.

00:18:07: And I'm very quickly able to determine whether I might have a problem in my machine or not.

00:18:13: So it's extremely simple to fulfill such a use case.

00:18:16: And Sebastian, what are your favorite security features or apps?

00:18:20: I think my highlight is actually how nicely it integrates and how good the

00:18:25: ease of use over all ease of use still is of the system.

00:18:28: Often I hear the misconception that security would be bad for also for the

00:18:34: performance of a system or it would be bad for the usability of the system.

00:18:37: And I think my highlight is that it really nicely integrates in the overall

00:18:42: experience without getting in your way of being productive.

00:18:46: Thank you.

00:18:47: That is a good ending.

00:18:48: Thanks a lot, Michael.

00:18:49: Thanks a lot, Sebastian.

00:18:51: For talking, for explaining us Cyber Security, Cyber Resilience Act and

00:18:55: everything around this whole big topic when it comes to industrial automation.

00:18:59: Thanks a lot.

00:19:00: Thank you.

00:19:01: It was a pleasure

00:19:01: Thank you, Robert.

00:19:02: [MUSIC PLAYING]

00:19:05: [MUSIC PLAYING]

00:19:09: [music fades out]

00:19:11: [Choir Chimes]