Keywords
Bosch Rexroth, ctrlX automation, Industry 4.0, ctrlX OS, Linux, Cyber Resilience Act, CRA, IoT, user management
Summary
Hans-Michael Krause from Bosch Rexroth explains with reference to the automation platform ctrlX how vendors of digital industrial components can comply with the EU Cyber Resilience Act. He talks about the general awareness in the industry and provides arguments for open source platforms for software development. Last but not least, he gives practical advice to manufacturing companies what to insist on when evaluating component vendors.
Takeaways
The Cyber Resilience Act (CRA) is the more beautiful and interesting regulation because it puts resilience into the limelight.
The higher connectivity rate of industrial systems requires a stronger cybersecurity of industrial environments.
The problem remains: Compared to IT, automation is about 20 years late.
Many companies are not aware of the impact of the CRA on their business.
OT cybersecurity starts with granular user management, certificate management, encryption and restrictive port management.
An OS with (too) many security options can increase complexity and inherited insecurity.
Open Source ensures transparency and provides freedom of customization, to reduce the attack surface.
Companies purchasing new digital industrial components need to insist on clear security requirements, internally and towards vendors.
Machine operators should ensure that all network components as well as used and usable ports are known and documented.
Sound Bites
The Cyber Resilience Act impacts all of us: component and software vendors, mechanical engineering companies and machine operators.
Visiting the automation field is like a stepping into a time machine to the past.
Many look at the CRA like they did back in 1999 at the Y2K challenge – and hope to get away with a black eye.
You can just use your daughter's birthday as a password in our systems.
As a fieldbus protocol, Modbus is way too easy to manipulate.
Ich expect of mechanical engineering companies to use state-of-the-art technology and not a PLC that was designed in the 90s or noughties.
One undocumented interface is enough to miss an attack.
Chapters
00:00 Introduction
00:50 What are NIS2 and the Cyber Resilience Act (CRA)?
03:40 Who is impacted by the CRA and why is it relevant for Bosch Rexroth?
05:05 The reality of cybersecurity in industrial environments
06:03 How is the CRA perceived in the industry?
07:32 When did Bosch Rexroth start integrating OT cybersecurity in their products?
09:00 Elements of cybersecurity in OT components
10:32 Complex software frameworks vs simplified design principles in Linux
13:20 Transparency in Open Source software and device management
14:34 How to deal with legacy systems and the context of IEC 62443
17:03 How well is the market prepared for the requirements of the CRA?
20:50 Recommendations for companies purchasing new digital components
24:40 The easiest attack vector of all
