Visions Podcast: Building Cyber Resilient Machine Vision, Part 1

In this episode of Visions: A Machine Vision and Automation Solutions Podcast, Sharon Spielman, VSD's head of content, interviews Thomas Hopner of MVTec, who discusses cyber resilience for machine vision systems, explaining how resilience differs from traditional cybersecurity and why recovery and ongoing patching matter.

Hopner covers practical guidance on secure communication, firmware integrity, software bills of materials (S‑BOMs), and compliance with the EU Cyber Resilience Act, plus MVTec’s approach to patches, support, and customer collaboration. This is Part 1 of a two-part installment.

Related: The Role that Partnerships Play to Accellerate Adoption and Integration of Machine Vision Technology

Related: Lack of Governance is Putting Organizations Across the Globe at Serious Risk

Transcript

Well, hello and welcome to Visions: A Machine Vision and Automation Solutions Podcast. I'm your host, Jim Tatum, senior editor of Vision Systems Design and Visions is an Endeavor Business Media production from your friends at Vision Systems Design. Here you'll find the latest on everything from end user machine vision solutions to trends, developments, and perspectives on all things machine vision and imaging. Whether you've been working in the industry for a while or you're just starting to take a closer look at it, this podcast is designed to grow your knowledge and bring greater focus to your understanding of the imaging and machine vision industry. And now on to our show. 
Welcome, everyone. I'm Sharon Spielman with Vision Systems Design. Today we're focusing on cyber resilience and machine vision systems. The ability to not only defend against but also recover from cyberattacks. With increasing threats and new regulations like the EU Cyber Resilience Act, ensuring vision products are secure, resilient and compliant is critical. Joining us today is Thomas Hopner, product portfolio manager with MV Tech, who will share his insights on building resilient systems, securing communication and firmware, and navigating EU requirements. Let's dive in. Thank you for being here, Thomas. 
Thank you for the invitation. 
You're welcome. So do you want to give us just in our audience, a little bit of background on who you are, your position there and what MVTec does? 
So, MVTec is a supplier of machine vision software. We are pure software supplier and we only supply machine vision software. My position in the company is product portfolio manager, and I care for all the products that they basically meet the customer's requirements. And part of this is also looking for compliance topics like Cyber Resilience Act or security, cyber security. 
Okay. All right. I'm just going to jump right in. I have a few questions for you. So how does the concept of cyber resilience differ from traditional cyber security in the context of machine vision systems? 
So, in general, the differences that cyber resilience is emphasizing the resilience part. So it says basically you cannot be secure forever, but you need to be able to handle a cyber security incidents in a good way and be resilient against this. And cyber security itself, if you really love it, uh, helps you to avoid it from the upfront from the beginning. And, uh, yeah, it's not sure you don't need to handle it because it won't happen, but there is an incident. 
All right. I just wanted to clarify for the audience the difference between resilience and security. All right. So what are the key challenges in building resilient machine vision products that can detect, respond to, and recover from cyber incidents. 
There was a point that we are only selling a software, and what really belongs to the customers is the product. So the end products they are using the machine or any, let's say an intelligent camera or smart camera, something like this. And our software is only part of it. So basically our customers need to care for themselves about cyber resilience, but they need to rely on companies like ours so that they can provide the service to their end customers. 
Okay, so let's talk about that. EU CRA. How has the introduction of that impacted the design and the security requirements for machine vision systems? 
And to be honest, I've experienced the Cyber Resilience Act first time in 2024 four, mid of 2024, it was visiting a big customer, and we were meant to talk about technical details, but they told me, hey, before, we can't make sure your meetings are cyber resilience requirements which come up in future. We don't need to talk about technical details. And that was, in fact, the point. I was really looking into it in detail and bringing this to my company and to be honest. So every tech provides high-quality software from the beginning. That's our approach. But we never emphasized cyber security because we are mainly building a library, and it depends upon the customer to implement it in a good way. And on the other hand, we want to bring features to the customer so they can get some advantage for their competitors. And by itself, cyber security is yeah, up to now it was not really a direct advantage. 
So when we're talking about those customers, what strategies would you recommend for the machine vision engineers and integrators to ensure compliance with that standard? 
So you need to look into some standards and especially in the European Union now the Cyber Resilience Act is there. That's a law. So you need to follow the law. And by 2027, so December 11, 2027 to be exact, you need to have the regulation and telling or confirming that you follow the law. And this means at least in 2027, you need to be sure that you follow all the all the points in the Cyber Resilience Act. If it's outside of the European Union. So for example, in the US, you don't have a law for this as far as I know, at least. Do you have some guidelines from the NIST mainly. And you should follow them, of course, because the geopolitical risks are really getting bigger now and there is some added value in being cybersecure nowadays and you should follow it. But if you want to export it to the European Union or work in the European Union, you must follow it and it takes some time. So at MVTec we had it here for more than a year. Now we are working and being more and more compliant. We are trying to do this in a way which meets all our customers all around the world. So it's not only the US and not only Europe, but it's also in Asia, and there's different regulations. And basically we work together with our customers and provide what the customers need because we want to be in kind of strategic partner and being the trusted persons or the trusted company where you can rely your products on and be secure also also in future. 
So you offer different packages depending on what each of your customers location is and what the regulations are for their location? 
No, to be honest, it's pretty similar. And if you're following a more strict regulation, no one else will have a problem with it. 
Gotcha. So you just have the most robust that you're able to provide. So, um, it will meet the regulations of the location because of the offering. 
Yes, of course, that's correct. 
So how can the integrators effectively implement the secure communication protocols in the vision systems to support the resilience and the regulatory compliance? 
So it's not only about secure protocols, but as you name it, for example, in our software, how can you can open sockets for communication and you can open it in two ways. You can open it on the one hand in an insecure way. That's standard traditional, like you did it always. But you can also say, now I want to have a secure socket communication, but then you need to provide, of course, certificates and be prepared to, to handle everything which is related with it. So it's up to the customer to implement it. And we try to provide the proper documentation for it. 
Well, can you can you share some of the best practices for maintaining the firmware security and update integrity to promote that cyber resilience? 
Yes. So what we are doing from our side, and I advise our customers to do it the same way. So there is a thing which is called software Bill of Materials. The SBOM, which gives you an insight in all your software components, which is in your product. And you check this list. This is a machine readable list. You check it against databases which are in the world, for example, the CVE database. And you check for vulnerabilities, known vulnerabilities. And if there is a known vulnerability, you need to address it. That's basically what we are doing in our processes. So we have pipelines, building pipelines, which checks this, which creates SBOMs automatically and check for problems. The yeah, the topic of this is it's not easy. It's not black and white. So often you get an CVE which basically says, hey, it's insecure. And when looking deeper into the CVE, you see. Yeah. But it means only a specific component of the software is insecure and we are not using this component. And so this gets a little bit messy in the end. But yeah, that's the way it is. 
So do you have any practical cost-effective measures that integrators can take to enhance both the cyber security and the resilience in latency sensitive vision applications? 
Of course, they can use our software because then we care for this part, but they need to to update it. 
Of course. And how are those? How do you offer patches? Do you offer upgrades? Tell me about a bit about that. 
Yeah. So that's really a difference between the Cyber Resilience Act and the cyber security itself, because the Resilience Act requires you to provide patches. And depending on how critical an issue is, it must be very fast. You need to report even problems to an official authority. And there are huge fines up to fifteen million euros, for example, that you might get if you don't follow those rules. And according to the SSRA, you have to provide it at least for five years. And what we are doing is we're providing it for up to 15 years, depending of course, on our product. And, um, so the 15 years unfortunately are not free, but the five years or even seven years. So we extended it a little bit more than the law. This is free security patches, but of course you need to use it. So you need to subscribe, for example, to a mailing list. So we provided a security page at our home page and we take com slash cyber security. And you can report issues. You can subscribe to mailing lists. You can have a look at what's happening there. And yeah, it's an ongoing process. It's not something which is finished at some point in time. It's really ongoing. 
Well, that's a wrap for this episode of visions produced by Endeavor Business Media, a division of endeavor B2B. Thanks very much for tuning in. If you enjoyed today's show, be sure to subscribe to the podcast and share this episode with a colleague who would find it helpful. Until our next episode, you can find us at vision dash systems dot com or on LinkedIn, Facebook, or for more insights, updates, and breaking news to keep you in the know. Thanks for tuning in. Until next time, stay focused on your visions.