The Cyber Resilience Act (CRA), which took effect at the close of 2024, poses a challenge for companies to ensure their digital products are entirely secure. The Bosch Rexroth operating system ctrlX OS is thoroughly equipped to meet the demands of the CRA, demonstrating how manufacturing firms can ensure their future viability with this solution.
The CRA mandates that manufacturers create products containing digital components that guarantee a strong level of cybersecurity. To begin with, it sets requirements for the cybersecurity of products with digital components, and secondly for the procedures implemented by manufacturers to address vulnerabilities, aiming to guarantee cybersecurity throughout the product support duration. Alongside a thorough risk evaluation, cyber risks should be considered right from the product development stage. The products should be designed for security by default and able to receive updates. Furthermore, the CRA mandates that significant security incidents and exploited vulnerabilities be reported within 24 hours and addressed promptly through updates.
The Cyber Resilience Act establishes compulsory cybersecurity standards for manufacturers and resellers across the product life cycle – applicable to all products connected to another device or network. With ctrlX OS, we are fully equipped to meet the needs of the CRA. “Customers can trust that our products will prepare them for the future,” states Steffen Winkler, Senior Vice President of Sales in the Automation & Electrification Solutions Business Unit at Bosch Rexroth.
ctrlX OS is prepared for the CRA.
The Linux-based ctrlX OS operating system is a vital part of the Bosch Rexroth automation landscape. ctrlX OS is inherently secure and defaults to secure configurations, having received IEC 62443-4-2 Security Level 2 certification from TÜV Rheinland. Information that is stored, transmitted, or otherwise handled is completely safeguarded. It also offers a framework to swiftly and dependably release and implement security updates without disrupting operations.
The operating system, along with its ecosystem, is designed for the industrial sector and can similarly be utilized by other vendors for their automation elements. As a result, every device utilizing ctrlX OS – whether manufactured by Bosch Rexroth or other vendors – complies with stringent cybersecurity standards. Due to these factors, ctrlX OS is regarded as one of the most advanced, open, and secure operating systems.
Control system ctrlX CORE provides cybersecurity
One example of a Bosch Rexroth ctrlX OS device is the control system ctrlX CORE, which is designed to be secure as standard. ctrlX CORE ensures a very high level of cybersecurity thanks to secure by default and secure by design and through compliance with international standards. All user access on the devices is subject to strict password rules by default. The level of protection can be increased even more, if necessary. Functional extensions and vulnerability remediation updates are also regularly provided through a secure channel. Access to device data always requires authentication and authorization. The control system uses the ctrlX OS certified according to IEC 62443-4-2 and thus complies with the latest cybersecurity standards.
In addition, the control system can be extended with additional security applications from the ctrlX OS Store as required, for example with the Security Scanner, Firewall and VPN Client apps. These support users in meeting the requirements of the CRA for their machines. The Firewall app reduces vulnerabilities to a minimum. The VPN Client ensures secure remote maintenance and protected access to the devices from external networks. Access can be restricted based on the machine status and on-site approval. As part of the machine acceptance checks at network level, the Security Scanner enables the complete inventory of all components as well as the assessment of the entire machinery’s security status. Potential vulnerabilities can therefore be identified and targeted.
Retrofit: the control system also makes existing machines secure
The control system ctrlX CORE provides cybersecurity for both new and existing industrial environments. “To meet the requirements of the CRA and especially in the context of increasing cyber attacks, it is essential to also safeguard existing machines. The ctrlX CORE can also be used as a security gateway in automation solutions with third-party hardware and software to make them secure. With the ctrlX CORE, modern cybersecurity functions can also be integrated into older systems. This is a key advantage in the brownfield environment,” says Winkler.
Customized security concepts
Bosch Rexroth also supports companies with comprehensive consulting and services in the area of cybersecurity. This includes, for example, carrying out threat analysis and risk assessments, security scans, and training to build IT security skills. Customized cybersecurity concepts are developed and implemented together with the users.
“We are currently consistently aligning all products and services to ensure that companies comply with the regulations and can thus design their systems securely and robustly in the long term – this is the only way for them to be ready for the future,” says Winkler.