“Cybersecurity creates the foundation for digitalization”

Dr. Weinmann, how do you assess the requirements of the Cyber Resilience Act (CRA) from the perspective of a packaging machine manufacturer? Are there specific challenges in implementation?

Olaf Weinmann: The requirements of the CRA are definitely an important step towards unified cybersecurity standards within the EU. We expressly welcome the initiative as digitization and networking continue to advance. The security of our customers is our top priority. Data-driven solutions and initial approaches to data ecosystems are also becoming more important in the pharmaceutical sector, which tends to act conservatively due to its strict regulations. But despite all the openness to the possibilities of digital solutions like predictive maintenance, no customer will be willing to share their data without robust security standards. Cybersecurity not only creates security but is also one of the foundations for digitization. That's why we have been intensively dealing with the topic even before the current legislation and have thus created a solid basis for the upcoming requirements.

The complexity of implementation lies in several aspects. Packaging machines are now part of comprehensive production ecosystems. We alone are present in many companies with several machines: for example, with a blister machine, followed by a cartoner. Then, of course, there is an end-of-line solution, etc. The CRA requirements - particularly regarding product safety, software updates, and protection against cyberattacks - affect not only the machines but also the entire digital infrastructure, including interfaces to customer systems.

Additionally, software often has a very short lifecycle, while our machines are often in use for decades. This discrepancy places special demands on our development processes and ensuring backward compatibility. Another point is that existing machines must also comply with CRA standards in the event of an update, which requires both technical and procedural adjustments. And since we are, as already mentioned, in a highly regulated area, the operator cannot simply install an update and continue production - they may have to revalidate at least part of the process, which results in a temporary production outage. Our task is therefore to keep security high and the effort on the customer side as low as possible. This, of course, also requires clean documentation of the installed base throughout the entire lifecycle. Because if a machine has been in the field for 20 years, for example, many modifications or new functions have probably been added that need to be considered.

What measures have you taken at Uhlmann to meet the CRA requirements?

Weinmann: We have set up an interdisciplinary project team that deals with the requirements of the CRA and the NIS2 directive. The most important measures include:

• Implementation of "security by design" and "secure by default" principles.
• Introduction of a secure software development lifecycle (SSDLC).
• Modularization in connection with software upgrades.
• Regular penetration tests and security analyses.

Additionally, we have launched a "security champion" program to spread knowledge throughout the company. A key component is close collaboration with our customers and, of course, our suppliers. Our goal is to deliver secure machines or systems to our customers, and we also take responsibility for the overall solution. After all, it cannot be that our customers have to turn to the manufacturers of individual components in case of problems. They would not accept that, and it does not meet our standards.

How has the development process of your machines changed due to the CRA?

Weinmann: The development process has been expanded to include security requirements that were not necessary in this level of detail before. We are guided by standards such as IEC 62443 and are considering certification. An example is the already mentioned Secure Software Development Lifecycle. Such measures help us to identify and fix vulnerabilities early.

Do you also support your customers in making their OT infrastructures secure?

Weinmann: Yes, definitely. Cybersecurity is particularly challenging in the OT area because many customers have isolated their production networks from the internet. However, with increasing digitalization, this is gradually changing. We advise our customers and place great emphasis on ensuring that our products meet the highest security requirements. This includes standardized interfaces, training, and close collaboration with our customers' IT departments. Because especially small companies will reach their limits with the requirements of the CRA and NIS2.

That is why we support, wherever we can, the creation of a secure overall solution. However, the core business of Uhlmann Pac-Systeme is and remains the solution around the packaging machine, not IT consulting. From my own experience, I can say: The know-how regarding cyber security is growing rapidly in the industry and many companies are investing in security experts. The exchange with competent contacts also makes our work easier.

What role does artificial intelligence (AI) play in your cybersecurity strategy?

Weinmann: AI has proven to be a double-edged sword here: Because it also makes it easier for non-experts to launch cyberattacks. Of course, it was previously possible, for example, through freely available tools for penetration testing, to find and exploit security vulnerabilities. But with AI, such attacks potentially become significantly more dangerous.

At the same time, it also offers great potential to meet the requirements of the CRA more efficiently. We use AI in software development, for example in testing, debugging, or creating documentation. This is also intended to be extended to the optimization of security in the future. We also see potential for AI-supported solutions directly in our machines, which can help with troubleshooting or optimizing parameters. However, the data basis is crucial - without high-quality data, the potential of AI remains limited.

In addition to cybersecurity, AI has many other exciting applications. For example, we are currently working on feeding AI with our documentation so that it can assist in troubleshooting. It could also help make our machines more user-friendly in the future, thus easing operation during times of skilled labor shortages. This will positively impact OEE.

Are there platforms or initiatives you would recommend to companies that want to learn more about cybersecurity and exchange ideas?

Weinmann: There are several good points of contact, such as the VDMA with its working groups. TÜV Süd has some exciting offerings, and of course, Manufacturing X, specifically Factory X, deals with the topic, among others - here we at Uhlmann are represented in various working groups. I would also recommend the Manusec conference, where we also participate, for example, in panel discussions and benefit from mutual exchange of experiences.