Cyber Security

Trends in automation: security, AI and sustainability are drivers of the future
Portrait view of Steffen Winkler, Game Changer ctrlX AUTOMATION

Steffen Winkler
Game Changer
ctrlX AUTOMATION

  • Cyber Resilience Act promotes broader security measures
  • More and more AI-assisted applications are being integrated into automation systems
  • Sustainable manufacturing becomes a strategic goal
  • The future lies in ecosystems and collaborative innovations

Economic uncertainties, growing regulatory pressure, and a shortage of skilled workers are holding back the industry’s competitiveness and ability to innovate. Automation is a powerful lever to meet these challenges. Bosch Rexroth sees four key trends shaping automation in 2025: increased security measures through the Cyber Resilience Act (CRA), artificial intelligence as an efficiency booster, more sustainability as a response to stricter environmental requirements, and open ecosystems for more innovation.

Increased security measures, artificial intelligence and more sustainability. These are the automation trends from Bosch Rexroth’s perspective for the year 2025. (Image source: Bosch Rexroth AG, created with the help of AI)

“Automation remains the key to making the industry future-proof and competitive. It enables efficiency gains, new business models, and added value. We are seeing more and more companies relying on automation platforms with ecosystems, as they offer the greatest possible scope for action. This trend will also continue to increase in 2025,” explains Steffen Winkler, Senior Vice President Sales Business Unit Automation & Electrification Solutions at Bosch Rexroth.

Even greater focus on security with the Cyber Resilience Act

The Cyber Resilience Act (CRA), which came into force at the end of 2024, presents manufacturers and operators of industrial automation systems with new security requirements. The European regulation aims to improve security standards for digital products, thus increasing their resilience to cyber attacks. Products should be securely designed and updatable throughout their entire life cycle.

“IT security is more essential than ever for successful digitization strategies and products. The CRA provides clear requirements – this is an important step toward creating a high level of security across the board and strengthening user confidence in digital solutions. We therefore need to make automation solutions fit for these challenges, as we have already done with our operating system ctrlX OS. It is designed to be secure from the ground up and is therefore ideally prepared for the requirements of the CRA,” says Winkler.

For companies in the automation industry, the CRA means an even more intensive focus on security and product integrity. Adherence to the new directives requires a rethink that starts in product development.

AI is a driver of innovation in automation

Artificial intelligence is set to become even more important in 2025 – including in the automation industry. More and more AI-assisted applications are being integrated into automation systems. AI-assisted apps are already available in the partner network ctrlX World.

Artificial intelligence is increasingly embedded in software. AI-assisted software modules, such as neural networks for image processing solutions, are changing the possibilities for automation. AI also provides new operational insights in practice by analyzing data flows in automation devices. And it changes the way we work, for example, in software development. Tools, such as coding co-pilots, speed up programming and enable code to be written faster.

This enables significant efficiency gains both in the development of automation technologies and in their application.

Sustainability as a strategic goal

Sustainability and energy efficiency will continue to challenge industry and therefore also the automation sector. Industry plays a crucial role in achieving the global climate targets. Sustainable manufacturing requires zero emissions, resource efficiency, and cost-effectiveness.

More and more energy-saving functions are therefore being incorporated into automation components. Tools to simulate energy and performance also make an important contribution to optimizing manufacturing processes. There is further potential in the professional reprocessing of automation components: remanufacturing reduces the carbon footprint of used components by more than 50 percent compared to new products and conserves precious resources.

Open ecosystems for collaborative innovations

“The German automation industry is a global leader. To maintain and expand this leading position, it is essential to strengthen Germany as a business location and to boost the industry’s competitiveness even more,” says Winkler, adding: “Simply being at the technological forefront is not enough to remain successful in global competition in the long term.”

The key lies in open platforms and collaborative ecosystems that create real benefits for users. Such ecosystems combine the strengths of different players and thus enable the development of new, innovative approaches. This creates a culture of collaboration in which partners from different areas work together on solutions that go far beyond the capabilities of individual companies. In addition, open cooperation strengthens users’ trust in digital technologies by providing them with more flexible, interoperable, and future-proof solutions.

Bosch Rexroth constantly drives forward openness and co-creation in the automation world with its operating system ctrlX OS and the automation system ctrlX AUTOMATION.

As one of the world’s leading suppliers of drive and control technologies, Bosch Rexroth ensures efficient, powerful and safe movement in machines and systems of any size. The company bundles global application experience in the market segments of Mobile and Industrial Applications as well as Factory Automation. With its intelligent components, customized system solutions, engineering and services, Bosch Rexroth is creating the necessary environment for fully connected applications. Bosch Rexroth offers its customers hydraulics, electric drive and control technology, gear technology and linear motion and assembly technology, including software and interfaces to the Internet of Things. With locations in over 80 countries, around 33,800 associates generated sales revenue of 7.6 billion euros in 2023.

To learn more, please visit www.boschrexroth.com

CMA/Flodyne/Hydradyne is an authorized Bosch Rexroth distributor in Illinois, Wisconsin, Iowa and Northern Indiana.

In addition to distribution, we design and fabricate complete engineered systems, including hydraulic power units, electrical control panels, pneumatic panels & aluminum framing. Our advanced components and system solutions are found in a wide variety of industrial applications such as wind energy, solar energy, process control and more.

Cybersecurity – not a freestyle, but a duty

The factory of the future is characterized by the increasing networking of control technology, IT and IoT. The various systems must be seamlessly interconnected to ensure end-to-end digital processes. At the same time, however, this increases the risk of cyber attacks, as attackers have more and more entry points. In the connected world, attacks can cause more damage than ever before. It is therefore essential that security is consistently implemented at all levels. ctrlX AUTOMATION shows how this works while maintaining radical openness in automation.

More and more devices and machines are being networked and communicate via the Internet of Things (IoT). This creates numerous opportunities, but also risks. The more components are connected, the larger the attack surface. Cyber attacks can paralyze production and lead to financial losses and image damage.

Many systems in factories are outdated and were developed without considering cyber security. This makes them more vulnerable to attacks and difficult or impossible to update. It is therefore necessary to develop more resilient solutions. This must include IT systems as well as control technology and the IoT. This means: radical openness at all levels meets security at all levels.

But secure: from the control system to the apps

With ctrlX AUTOMATION, Bosch Rexroth has launched an end-to-end, open automation solution that has been designed from the ground up to be completely secure. The high security standards apply to all components in the automation toolkit and to every component by which the system grows. The hardware and software products are Secure by Design. This means that security requirements are already taken into account in the development phase. The automation solution, which was developed with a focus on conformity with IEC 62443-4-2, is based on the Linux Ubuntu Core operating system, which is considered to be extremely secure.

The ctrlX CORE controller is an example of the high level of security in the ctrlX AUTOMATION portfolio. The associated IoT software has fully integrated IT security standards according to IEC 62443-4-2 for access control and remote maintenance. In addition, the controller offers various security features such as Secure Boot, a security chip in accordance with TPM 2.0, and a minimal network footprint when delivered. With the optional firewall and VPN client, the controller can be upgraded to a full-fledged network appliance, which ensures the highest possible availability and security of the connected network components.

Since ctrlX AUTOMATION is not a self-contained system, but rather a place where different players pool their domain knowledge, the security strategy also includes the partner network ctrlX World. For example, each of the partner apps offered is validated by Bosch Rexroth. This rules out the possibility of third-party software introducing malicious code. This and the sandboxing principle further increase the security of the other apps installed on the system.

ctrlX developR design with a view to the future

The holistic and fundamental implementation of security standards and mechanisms in all facets of ctrlX AUTOMATION creates a resilient overall system that can also demonstrate these capabilities. In order to maintain this level, permanent further development is required – also in view of ever new types of attacks and ways of attack.

That is why ctrlX developR always keep their fingers on the pulse and look to the future. The latest security requirements are already taken into account in the planning and development phase. At Bosch Rexroth, “Two steps ahead” also applies when it comes to security.

If you have any questions or require further information regarding ctrlX AUTOMATION, please contact us: sales@cmafh.com

CMA/Flodyne/Hydradyne is an authorized Bosch Rexroth distributor in Illinois, Wisconsin, Iowa and Northern Indiana.

In addition to distribution, we design and fabricate complete engineered systems, including hydraulic power units, electrical control panels, pneumatic panels & aluminum framing. Our advanced components and system solutions are found in a wide variety of industrial applications such as wind energy, solar energy, process control and more.

Secure Protection from Attacks, Malicious Software and Unauthorized Access

Guest contributors: Gerrit Boysen and Mariam Coladonato, Phoenix Contact

High system availability is very important in process engineering, because ongoing processes must not be interrupted. A fence is a physical, easily identifiable safety measure to secure systems from unauthorized persons. In addition to such physical protections, implementing IT security practices is also becoming more important.

The current trend toward interconnectivity is driving the growing need for IT security in process engineering. Not only is there an increasing number of horizontal interconnections from one system to another, but also the field level is more connected to the office level. In addition, all levels are using more and more Ethernet components. The good news is that this interconnection increases efficiency and reduces costs. The downside of this, however, is that it also increases the risk that malicious software will quickly spread throughout all areas of a company.

In light of this information, process-engineering systems are repeatedly being threatened by new security gaps and a growing number of malicious programs. The computers and control systems used in industrial networks must have much more extensive protection from attacks, malicious software, and unauthorized access than they have so far (Figure 1).

Figure_1phoenixcon

Figure 1: The Process Analysis Center is protected by a firewall.

The security strategies used in conventional office IT, however, usually are not designed for industrial systems. Industrial networks require special protective measures. The IT systems used in production environments differ fundamentally from those used in office environments in four ways.

  1. Patches cannot typically be applied to industrial systems
  2. Industrial systems use special protocols such as OPC Classic, which are not used in the office world
  3. Large systems can have structurally identical modular assemblies with identical IP addresses
  4. Production systems often require different firewall rules and standards during maintenance and in the event of remote servicing

Office PCs usually have virus scanners that perform security updates at regular intervals. These measures do not normally work for industrial systems for a few reasons. Sometimes, the manufacturer of the operating systems or applications used in the industrial sector no longer provides security updates. In addition, test measures must be performed on industrial PCs before each operating system, antivirus software, or application update, and this cannot be done efficiently in terms of operation.

The use of specific industrial firewalls can protect these non-patchable systems against attacks from outside the network. To do this, hardware-based firewall appliances are connected between industrial PCs and outside networks. Another advantage of using external security hardware is that the system’s resources do not have to be used for security tasks (Figure 2).

Figure_2phoenixcon.jpg

Figure 2: Security example from the process industry.

Targeted restriction of network communications

With firewalls, the user can configure the protocols and ports that can be used to access the protected systems. This can prevent or at least limit the attempt of an attacker to gain access to the network through insecure ports. The Stateful Packet Inspection Firewall approach is an ideal way to manage these systems. This approach uses rules to filter incoming and outgoing data packets in both directions: from the outside to the protected internal network and vice versa. Based on the protocol, source addresses and ports and destination addresses and ports can be used to limit network communications selectively to a defined scope required for production. Here, the Connection Tracking function identifies the response packets on permitted connections and lets them through.

When selecting a suitable firewall, the engineer must ensure that the selected firewall understands any protocols used in the particular industry. Otherwise, reliable protection cannot be guaranteed. For example, office firewalls typically do not support industrial protocols such as OPC Classic, so they cannot provide appropriate protection for the application.

While conventional firewalls cannot reliably protect data traffic via OPC Classic, industrial variants – such as one with a license for OPC Inspector – can provide a suitable solution. The firewall checks the OPC Classic communications data packets and filters them precisely, based on Deep Packet Inspection. For this purpose, the Stateful Inspection principle is also applied to OPC Classic data. This means that the firewall identifies the port changes negotiated in the OPC Classic protocol and approves them dynamically. In this context, it inspects whether a port opened by OPC is used within a timeout period and whether the data traffic moving through this port corresponds to the OPC protocol. This method provides high-access security (Figure 3).

a_0065449

Figure 3: Deep Package Inspection in the OPC protocol.

Unique and clear mapping to virtual external networks

Complex production sequences are typically structured into networked, largely standalone cells. For an efficient design of the engineering, documentation, and cell operation, the use of identical IP addresses for all systems of a single type proves to be advantageous. If all communications are initiated from the internal cell networks, several identical systems can be connected with simple masquerading NAT (Network Address Translation) routers to the operator’s production network. If the higher level network also needs to establish a connection to the individual cell nodes, however, this solution is not sufficient, because the cell nodes cannot be addressed from the outside. In this case, the user requires a router that can map internal machine networks universally or selectively to unique virtual external networks using 1:1 NAT.

Because of this, an industrial firewall offers the so-called 1:1 NAT routing function, in addition to the pure NAT routing. OPC Inspector, mentioned above, allows this NAT function for the OPC Classic protocol. This sets it apart from conventional office firewalls and other industrial firewalls.

Event-controlled (de)activation of firewall rules

Different firewall rules and standards have advantages in different situations. This is because during production operation or maintenance and remote system servicing, different connections are allowed or forbidden. In practice, the user usually solves the problem by summarizing the various firewall requirements in a set of rules. This procedure inevitably lowers the level of security, because the firewall rules allow all connections required for the different operating states, even if they are not required for the current operation.

An industrial firewall solves the problem by implementing a Conditional Firewall. This function allows the firewall rules to be activated or deactivated depending on events. A variety of events – such as an externally connected button, switch, control window in a web interface, API command line, or establishing or disconnecting a VPN (Virtual Private Network) connection – can be selected to trigger a specific firewall rule (Figure 4).

Rexroth-BR_Catalog2 (1)

Figure 4: Secure remote access to the system.

Summary

The requirements placed on a firewall in a production zone are different from those in the office world. Therefore, using an industrial firewall with a NAT function can support the individual, simple segmentation of networks. This allows the Defense-in-Depth concept based on the ISA-99 and IEC 62443 international standards to be implemented even in systems using the OPC Classic protocol.