Securely connected – on all levels

Bosch Rexroth has successfully brought together the world of automation with the Internet of Things to create the Factory of the Future. ctrlX AUTOMATION combines control technology, IT and the IoT securely to create an open and scalable system. Security is rigorously enforced on all levels.

Secure by design – integrated and secure

With ctrlX AUTOMATION, Bosch Rexroth has focused on IT security and involves hardware and software equally. The products are “Secure by Design” from the bottom up. For users – especially in Industry 4.0 environments – it is crucially important that the devices which are used for connectivity purposes offer suitable security mechanisms. These security requirements determine the approach which Bosch Rexroth uses when developing ctrlX AUTOMATION solutions and form the foundations of ctrlX IOT.

In keeping with the “Secure by Design” principle, Bosch Rexroth relies on Linux Ubuntu Core as the operating system. Each application is operated in a sandbox. Within this sandbox, the apps (software containers in the Snap format) are limited by default. Each solution is therefore insulated and only a few interfaces (defined for each app) allow access to other apps or peripheries. As a result, Bosch Rexroth bridges the gap between a secure and an open system. Should a piece of third-party software contain malicious code, the rest of the system is protected because the malicious code is insulated in the sandbox.

The integrated apps such as ctrlX MOTION and ctrlX PLC are also immune to manipulation and are protected against corruption. Thanks to unchangeable packages and digital signatures, each app is checked to ensure that the software was verified and published by Bosch Rexroth when it is installed. Snaps also provide the option of updating individual apps in a targeted manner. If an update leads to problems, the previous version can easily be restored through a rollback.With the control system ctrlX CORE, Bosch Rexroth also offers an integrated All-in-one Network Appliance for maximum safety and the highest possible availability of routers, IoT gateways, firewalls and VPN. The modern IoT software is based on fully integrated cyber security standards in accordance with IEC 62443 for access control and remote maintenance.

Secure Boot is a related security feature. It checks whether the boot loader or the operating system was manipulated. In combination with the signed applications, system integrity can be ensured at all times.

A TPM 2.0 chip is also included. The Trusted Platform Module chip expands the security functions in order to back up cryptographic material on the device for example. An attacker is therefore unable to steal cryptographic material from the device and thus decrypt communications or steal the entity of a device. Hardware-based keys and certificates also ensure authentic identification.

The user management system of ctrlX CORE is one of the system’s basic security mechanisms. It offers users system-wide identification and access control for all apps and the ctrlX Data Layer. Configurable user management thus prevents unauthorized access to data and functionality.

The “Secure Production Mode” is also used. It ensures a secure production mode. All applications and functions which are not required can be disabled with the user-defined control mode or uninstalled. This closes potential attack vectors. Thanks to the Secure Production Mode, the network footprint is kept as small as possible.

Secure by Default

The control system ctrlX CORE is not only “Secure by Design” – it is also “Secure by Default” and thus offers safety and flexibility when integrating data into existing IT production systems. Users can therefore use the device securely from the very start and can connect it to other systems and the IoT with confidence and with no need for configuration work.

Firewall and VPN app ensure extra security

The system can be expanded with customer-specific apps and is ready for new standards such as 5G and OPC UA over TSN. To allow additional use cases, a VPN extension or firewall installation via app is optionally possible.

The firewall allows easy configuration for users, network segmentation and access management. Bosch Rexroth has developed a firewall based on nftables which includes an operator-friendly web frontend. The firewall checks all network traffic on an ongoing basis so that ransomware for example can be stopped. End users can make the firewall configuration as complex as they like and can tailor it to their needs. Thanks to a segmented network with increased system protection, Production remains able to act and production know-how is protected in the event of a virus attack.

The VPN app supports the two popular VPN protocols OpenVPN and IPSec. Both services are securely encoded and offer maximum security. They can easily be connected to a company’s own server – if available – for secure remote maintenance for example. This saves having to involve additional hardware.

With ctrlX AUTOMATION, the effectiveness and safety required in today’s Industry 4.0 environments can be achieved in an integrated manner. It is therefore an elementary, secure building block for the fully connected Factory of the Future.

If you have any questions or require further information regarding ctrlX AUTOMATION, please contact us:

Get in contact