30 Seconds, not 30 Minutes: Security Updates at the Click of a Button
How KEB Simplifies the CRA’s Update Requirement with NOA
The Cyber Resilience Act (CRA) will take effect at the end of 2027, bringing significant changes for the machine engineering industry. The focus is on assessing the cybersecurity of products and processes with the goal of systematically closing security gaps. Among other things, the CRA mandates the automatic installation of security updates to preempt potential vulnerabilities. But how can this requirement be met when several hundred controllers, inverters, and machines need to be updated? Daniel Preuß, Product Owner for the IIoT Platform at KEB, explains in an interview how the open automation platform NOA implements updates in seconds.
Why are security updates for products with digital components so important in the Cyber Resilience Act?
Daniel Preuß: Generally speaking, software updates are important because they contribute to system stability by providing bug fixes and preventing unplanned downtime. They also expand the range of functions, enabling new use cases to be implemented with machines. But updates are particularly necessary when it comes to cybersecurity – and the CRA takes this into account as well. Today, new security vulnerabilities are constantly emerging, or existing ones are being discovered by hackers. This makes it all the more important to perform regular updates that close these vulnerabilities. This helps protect against targeted attacks on industrial systems, such as those involving ransomware or sabotage. Such attacks result in high costs, downtime, and even machine malfunctions – for example, when machines are taken over by the attacker. The goal, therefore, is to reduce the attack surface by keeping components, libraries, and protocols up to date. OT systems are particularly critical. They often have long lifecycles and are specifically targeted because they are rarely patched. That is why they require special protection. This is where NOA comes in.
How does installing updates with NOA work?
NOA offers users three convenient ways to install updates. In the On-Premise mode, the user accesses the NOA device – such as the Embedded Automation Device C6 Compact 3 from KEB – via an HTTP interface (Ethernet). To do this, the laptop must be on the same network as the NOA device. The advantage is that the software can be quickly downloaded directly into NOA via the App Manager, allowing the user to continue working on their laptop.
Another option is the cloud. The NOA Portal cloud solution is used to access the device, and the update is conveniently installed from the cloud. The laptop and NOA device do not need to be on the same network. The process is particularly simple: open a browser, navigate to the NOA Portal, and start the updates with the click of a button – that’s it.
Updates can also be installed via VPN, even if the user is not on the local network of their NOA device, provided the device has an internet connection. Using the NOA Connect app, the user can establish a VPN connection to the NOA device and access other devices on the same network. Software updates—which may have been downloaded to the laptop beforehand, for example – can then be installed on the devices within the NOA device’s network.
What would the alternative approach look like without NOA to meet the CRA’s update requirements?
That depends on the device and the available interfaces—that is, whether a CD drive, USB port, Ethernet port, and internet access are present. In addition, storage media such as USB flash drives or SD cards are required. This is inconvenient, as it requires physical access to the device and the storage medium must be inserted manually each time. Of course, it’s also possible to download software to the laptop and then install it. However, this is time-consuming, since the laptop has to repeatedly establish a connection to the respective device. This is exactly where NOA can significantly simplify the processes—with just a few clicks, the update starts for all devices.
What You Should Know About NOA
What You Should Know About NOA
Probably one of the biggest obstacles is the large number of devices that need to be updated…
Exactly, because in production environments, it’s not uncommon for users to have several hundred units that need to receive security updates. With the NOA Portal, the process becomes particularly efficient thanks to the Fleet Management feature. Fleet Management gives users a complete overview of all devices in the field or in production. These can be managed in the NOA Portal, and updates can be initiated for the entire fleet of devices. Once logged into the NOA Portal, it takes just six clicks to start the update. This reduces the time required from 30 minutes—with a traditional update using a storage medium—to just 30 seconds. So as you can see, traditional update methods take far too long. As a result, they aren’t consistently used in practice, and vulnerability management fails to gain proper momentum. Only software like NOA makes consistent vulnerability management possible.
What update intervals should users expect?
Here, we distinguish between security updates and product updates for new features, stability improvements, etc. Security updates are carried out by KEB in accordance with CRA guidelines; to this end, we have implemented product-level vulnerability management at KEB. We continuously monitor software that we have released to the market, using a Software Bill of Materials (SBOM) that we generate during the software release process. This means we know which of our own and third-party components are included in our software. We cross-reference our software against databases of known vulnerabilities to determine whether any of our released software contains security vulnerabilities. Based on this, we provide security updates whenever a security vulnerability is discovered. In accordance with the CRA, we then report these findings to the relevant authority.
