The EU has recently introduced new directives to strengthen cybersecurity, such as the Cyber Resilience Act (CRA) and the NIS 2 Directive. What specific duties specifically apply to automation engineers?
Dr. Tebbe: Automators face the challenge of meeting both the CRA and the NIS 2 directive. The CRA aims to protect networked products from unauthorized access and manipulation throughout their life cycle. An important component is the timely provision of security updates. The NIS-2 directive expands the rules of the existing NIS-1, requiring companies, depending on their category and industry, to effectively manage the risks associated with their digital infrastructure and services. Similar to the CRA, significant cyber incidents must also be reported to national authorities. This means that, as manufacturers and system integrators, we must thoroughly check our infrastructure, products and systems for security vulnerabilities and implement appropriate security measures. This process is often associated with lengthy development times. We also need to ensure that our suppliers meet these high standards, which requires close cooperation and regular audits.
The security concept per IEC 62443 from WAGO includes secure networks, information protection, user authentication and vulnerability management.
There are strong interactions between the CRA and the NIS-2 Directive, as they affect both end-user products and industrial components in critical infrastructure.
How does WAGO implement the new requirements? What role does the international IEC 62443 series of standards play in cybersecurity in industrial automation?
Dr. Tebbe: WAGO has long operated an Information Security Management System (ISMS) based on the international standard ISO 27001 and is thus well prepared for the requirements of the NIS 2 directive. For product development, we have established an integrated security concept based on the international IEC 62443 series of standards and certified it. This standard is crucial for cybersecurity in industrial automation and control systems; it includes basic risk prevention measures, such as using trust zones, defense-in-depth approaches, last-privilege principles, and vulnerability management. These measures help us meet the security requirements of the new EU directives and optimally protect our products throughout their life cycle.
In the future, products covered by the CRA will no longer receive a CE mark if they do not meet the legal requirements. Which product classes are affected?
Dr. Tebbe: The CRA is a horizontal regulation and applies to any class of products with an integrated digital component. There are only a few exceptions, such as medical technology or motor vehicles, which are specifically regulated. As a result, household appliances, smartphones and toys are covered by the CRA, as are industrial controllers and software applications. All of these products must comply with the CRA in order to obtain a CE mark and be allowed on the European market. Particularly important or critical components must always be checked for conformity by an accredited testing agency. However, according to EU planning, this should only apply to a limited number of products that usually implement or support security functions. For all other products, self-assessment is sufficient, based on a harmonized standard. One candidate for such a harmonized standard is the aforementioned IEC 62443. The procedure, according to IEC 62443-4-1 and -4-2, addresses the obligations from the CRA over the entire product lifecycle and includes the principles of secure-by-design, secure-by-implementation and secure-by-default. Only after passing the test can the CE mark be affixed and the declaration of conformity within the framework of the EU directives be issued.
How important is the PSIRT at WAGO with regard to holistic cybersecurity?
Dr. Tebbe: Vulnerability management has been firmly anchored in our company for many years. Our Product Security Incident Response Team (PSIRT) serves as a central contact point for vulnerability reports regarding our products and solutions. The goal is to help our customers protect their applications and processes as effectively as possible. The team evaluates potential vulnerabilities, consults with relevant stakeholders such as the Development Department and Product Management, and initiates necessary measures, such as recommendations for action, updates or patches. One example of our work is eliminating a vulnerability we addressed with Intilion for switches used in battery storage. Thanks to the structured processes of the PSIRT, we rapidly eliminated the potential attack area. Our team is constantly working to expand these processes to all new and existing products.
How do customers learn if there is a potential risk and in which products?
Dr. Tebbe: We don't work alone in coordinating and publishing information. We are supported by our coordination partner, CERT@VDE, which is part of the German Electrical Engineers Association. CERT@VDE provides information about bug fixes and security vulnerabilities through advisories and also offers an RSS feed. To strengthen information security, which is a critical success factor for Industry 4.0 and digitalization, VDE has established an IT security platform. This platform serves as a central point of contact for customers, consolidating security vulnerabilities from different companies and offering specific solutions.
What advice do you give companies to consider when implementing security measures, and how do you support them?
Kilian Fröhlich: Companies need to monitor both their OT and IT networks and implement a comprehensive security concept, as required by the NIS2 directive. WAGO provides OT security consulting services, supplemented by a combination of hardware and software solutions. For example, we partner with Radiflow to offer comprehensive OT security solutions worldwide, tailored to the specific needs of markets such as smart factories, smart buildings or smart energy. With our expertise in industrial automation and Radiflow's expertise in OT cybersecurity, we provide holistic security consulting to help customers secure their OT networks as effectively as possible.
Integrated cybersecurity: Through partnership with OT security specialist Radiflow, WAGO implements innovative solutions for real-time monitoring and security vulnerability analysis.
WAGO pursues a holistic security concept in order to optimally protect products and systems from possible cyber threats.
Can you give an example of how the Radiflow software solutions interact with your products or solutions?
Kilian Fröhlich: We divide our customer advice into two phases in order to systematically reduce the attack vectors in their networks. The first phase focuses on network monitoring and anomaly detection. Based on this, largely automated risk assessments and derived actions can be taken in the second phase. A successful example of this collaboration is the seamless integration of Radiflow's iSID into WAGO’s software landscape. This complete intrusion detection system runs on our edge devices, referred to as the “WAGO Cybersecurity Network Sight.” In large networks, specialized network taps, the “WAGO Cybersecurity Collectors,” facilitate monitoring. The OT data collected can also be used for asset management – aligning with the principle: “You can only protect what you know.” This approach reduces the manual effort and personnel costs for our customers.
How can threats be detected and minimized in the OT environment?
Kilian Fröhlich: Companies should review their current OT security measures and perform a comprehensive risk assessment. With “WAGO Cybersecurity Analysis,” we offer a tool based on Radiflow's “Ciara” that allows customers to identify threats, assess risks and implement targeted security measures like network segmentation. This results in effective risk reduction. The platform also supports customers in continuously monitoring and adjusting their security strategies to comply with international standards, such as NIST, IEC 62443 and ISO 27001. This is especially important for companies operating in highly regulated sectors.
How can the insights gained from the analyses be best implemented?
Kilian Fröhlich: One major advantage is the uniform reporting: “WAGO Cybersecurity Analysis” offers detailed analyses and an intuitive dashboard that clearly displays the current security status of the network. The findings from these analyses should be translated into concrete security measures and implemented, such as through robust network segmentation strategies. This includes hardening systems, applying security updates and patches, and adjusting network configurations. Companies can use the insights gained from the analyses to continuously monitor and adapt their security strategies as necessary. Our security consulting team helps customers quickly take the required measures to ensure the security of industrial control systems.
What is the next roadmap for the partnership with Radiflow?
Kilian Fröhlich: We plan to further expand our partnership and continuously improve our joint security solutions. Along with the four products we currently coordinate, additional ones will follow, such as the Active Scanner, which enables targeted vulnerability scans on individual devices. We also plan to expand our switch and router portfolio, certified according to IEC 62443. In this case, alarm messages from iSID could trigger firewall rule adjustments.
For some, all this sounds like a significant expense. What advice would you give to these companies?
Kilian Fröhlich: At first glance, implementing these security measures might seem extensive. However, it is crucial to be proactive to avoid long-term damage and downtime. Therefore, we advise companies to address the most significant security vulnerabilities first and then gradually implement further measures. It is important to first identify what is in the network, as what you can see can be protected more effectively.
Source: Computer and Automation, September 2024