The EU has recently introduced new directives to strengthen cybersecurity, such as the Cyber Resilience Act (CRA) and the NIS 2 Directive. What specific obligations will automation companies face?

Dr. Tebbe: Automation companies face the challenge of complying with both the CRA and the NIS-2 Directive. The CRA aims to protect networked products from unauthorized access and manipulation throughout their entire life cycle. An important component of this is the prompt provision of security updates. The NIS-2 extends the provisions of the existing NIS-1 and obliges companies, depending on the category and industry, to implement effective risk management for the operation of their digital infrastructure and services. Similar to the CRA, significant cyber incidents must also be reported to national authorities. This means that we, as manufacturers and system integrators, must comprehensively check our infrastructure as well as our products and systems for security vulnerabilities and implement appropriate security measures. This often involves lengthy development times. We also have to ensure that our suppliers also comply with these high standards, which requires close cooperation and regular audits.

How is Wago implementing the new requirements and what role does the international IEC 62443 series of standards for cybersecurity in industrial automation play?

Dr. Tebbe: Wago has been operating an ISMS - an Information Security Management System - based on the international standard ISO 27001 for a long time and is therefore well prepared for the requirements of the NIS 2 directive. For product development, we have established a holistic security concept that is based on the international IEC 62443 series of standards and is certified. This standard is an important standard for the cybersecurity of industrial automation and control systems and includes basic risk prevention measures: These include, for example, the use of trust zones, defense-in-depth approaches, least-privilege principles and vulnerability management. These measures help us to meet the security requirements of the new EU directives and provide our products with optimum protection throughout their entire life cycle.

In future, products that fall under the Cyber Resilience Act will no longer receive a CE mark if they do not meet the legal requirements. Which product classes does this affect?

Dr. Tebbe: The CRA is a horizontal regulation and therefore applies to any class of products that have an integrated digital component or digital part. There are only a few exceptions, such as for medical technology or motor vehicles, as these are specially regulated. This means that household appliances, smartphones and toys fall under the CRA, as do industrial control systems and software applications. In future, all of these products must therefore also comply with the CRA in order to receive a CE mark and be allowed to be placed on the European market. Particularly important or critical components must always be tested for conformity by an accredited testing body. However, according to EU plans, this will only apply to a small number of products that generally implement or support security functions. For all other products, a self-assessment is sufficient, for example on the basis of a harmonized standard. One candidate for such a harmonized standard is the aforementioned IEC 62443. The procedure in accordance with IEC 62443-4-1 and -4-2 addresses the obligations arising from the CRA over the entire product life cycle and includes the principles of secure-by-design, secure-by-implementation and secure-by-default. The CE mark is only affixed once the test has been passed and the declaration of conformity is then drawn up in accordance with the EU directives.

Wago's security concept in accordance with IEC 62443 includes secure networks, information protection, user authentication and vulnerability management.

© Wago

How important is the Product Incident Response Team - PSIRT - at Wago in terms of holistic cybersecurity?

Dr. Tebbe: Vulnerability management has been firmly anchored in our company for many years. Our PSIRT acts as a central point of contact for vulnerability reports in our products and solutions. The aim is to support our customers in protecting their applications and processes in the best possible way. The team assesses potential vulnerabilities, consults with relevant stakeholders such as the development department and product management and initiates necessary measures such as recommendations for action, updates or patches. One example of our work is the elimination of a vulnerability that we fixed with the company Intilion in switches that were used in battery storage systems. Thanks to the PSIRT's structured processes, we were able to eliminate the potential attack surface as quickly as possible. Our team is continuously working on extending these processes to all new and existing products.

How do customers find out whether there is a potential hazard and in which products?

Dr. Tebbe: We do not coordinate and publish information on our own, but are supported by our coordination partner, CERT@VDE, which is part of the Association of German Electrical Engineers. CERT@VDE provides information on bug fixes and security vulnerabilities through so-called advisories and also offers an RSS feed. In order to strengthen information security as a critical success factor for Industry 4.0 and digitalization, the VDE has established an IT security platform. This platform serves as a central point of contact for customers by bundling security vulnerabilities from various companies and providing specific solutions.

Holistic cybersecurity: Through its partnership with OT security specialist Radiflow, Wago is implementing innovative solutions for real-time monitoring and vulnerability analysis.

© Wago

What do you advise companies to bear in mind when implementing security measures and how do you provide support?

Fröhlich: Companies should keep an eye on both their OT and IT networks and implement a comprehensive security concept, as required by the NIS-2 directive. Wago offers consulting services in the field of OT security, which are supplemented by a combination of hardware and software solutions. One example of this is our partnership with Radiflow to offer comprehensive OT security solutions worldwide that are tailored to the individual needs of specific markets such as Smart Factory, Smart Building or Smart Energy. Thanks to our know-how in industrial automation and Radiflow's expertise in OT cyber security, we can provide holistic security consulting and help our customers to make OT networks as secure as possible.

Can you give an example of the interaction between Radiflow software solutions and your products or solutions?

Fröhlich: We divide our customer consulting into two phases in order to systematically reduce the attack vectors in customer networks. In the first phase, the focus is on network monitoring and detecting anomalies. On this basis, a largely automated risk assessment and derivation of measures can be carried out in the second phase. A successful example of the first phase of the collaboration is the seamless integration of Radiflow's iSID into the Wago software landscape. This comprehensive intrusion detection system runs on our edge devices and is referred to by us as Wago Cybersecurity Network Sight. In large networks, special network taps, the Wago Cybersecurity Collectors, facilitate monitoring. In addition, the OT data collected can also be used for asset management - according to the motto: "You can only protect what you know." In this way, we reduce our customers' manual effort and personnel costs.

How can threats in the OT environment be identified and minimized?

Fröhlich: Companies should review their current OT security measures and carry out a comprehensive risk assessment. Based on Radiflow's 'Ciara', we offer Wago Cybersecurity Analysis, a tool that enables end customers to identify threats, assess risks and implement targeted security measures such as network segmentation. This enables efficient risk mitigation. The platform also supports customers in continuously monitoring and adapting their security strategy to ensure compliance with international standards such as NIST, IEC 62443 and ISO 27001. This is particularly important for companies operating in highly regulated industries.

There are close interactions between the CRA and the NIS 2 Directive, as they affect both products for end users and industrial components in critical infrastructures.

© Wago

What is the best way to implement the insights gained from the analyses?

Fröhlich: One major advantage is the standardized reporting: Wago Cybersecurity Analysis offers detailed analyses and an intuitive dashboard that clearly displays the current security status of the network. The findings from the analyses should be translated into concrete security measures and implemented using robust network segmentation strategies, for example: These include hardening systems, implementing security updates and patches and adapting network configurations. Companies can thus use the knowledge gained from the analyses to continuously monitor their security strategy and adapt it if necessary. Our security consulting team helps to take measures to ensure the security of industrial control systems.

What is the future roadmap for the partnership with Radiflow?

Fröhlich: We plan to further expand the partnership and continuously improve our joint security solutions. In addition to the four products that have already been agreed, others will follow, such as the Active Scanner, which enables the targeted search for vulnerabilities in individual devices. We are also planning to expand our switch and router portfolio, which is also certified in accordance with IEC 62443. Here, alarm messages from iSID could lead to firewall rules.

For some, all of this sounds like an extremely high cost. What advice would you give these companies?

Fröhlich: At first glance, the implementation of these security measures sounds very extensive. However, it is crucial to act proactively in order to avoid long-term damage and downtime. We therefore advise companies to take a step-by-step approach by first closing the biggest security gaps and then continuously implementing further measures. Here it is important to look first and foremost at what is actually in the network - because what I can see, I can also protect better.