Visions Podcast: Building Cyber‑Resilient Machine Vision: From Defense to Recovery, Part 2

In this episode, the second installment of a two-part series of Visions: A Amchine Vision and Automation Solutions Podcast, VSD's head of content Sharon Spielman interviews Thomas Hopfner of MVTEC about cyber resilience for machine vision systems, covering secure communication and firmware, manual patching constraints due to certifications, and the impact of the EU Cyber Resilience Act.

They discuss practical steps—risk assessments, managing open-source dependencies, developer education, containerized CI/CD pipelines, and the challenges of long-term support and balancing compliance with innovation. 

Related: Building Cyber-Resilient Machine Vision: From Defense to Recovery, Part 1

Visions: A Machine Vision and Automation Solutions Podcast, is the podcast for engineers, designers, integrators, and end users who want to keep an informed eye on the imaging and machine vision industry. Every second and fourth Tuesday we will explore the latest in imaging trends, developments and solutions. Here you will find interesting, useful insights and observations from expert interviews, solo episodes, even the occasional panel discussion, all of which aim to expand your knowledge on imaging and machine vision. 

Be sure to subscribe to Visions: A Machine Vision and Automation Solutions podcast on podbean, or wherever you find quality podcasts.

Transcript

Well, hello and welcome to visions, a machine vision and Automation Solutions podcast. I'm your host, Jim Tatum, senior editor of Vision Systems design and visions is an endeavor business media production from your friends at Vision Systems Design. Here you'll find the latest on everything from end user machine vision solutions to trends, developments, and perspectives on all things machine vision and imaging. Whether you've been working in the industry for a while or you're just starting to take a closer look at it, this podcast is designed to grow your knowledge and bring greater focus to your understanding of the imaging and machine vision industry. And now on to our show. 

Welcome, everyone. I'm Sharon Spielman with Vision Systems Design. Today we're focusing on cyber resilience and machine vision systems, the ability to not only defend against, but also recover from cyber attacks. With increasing threats and new regulations like the EU Cyber Resilience Act ensuring vision products are secure, resilient and compliant is critical. Joining us today is Thomas Hopfner, product portfolio manager with VTech, who will share his insights on building resilient systems, securing communication and firmware, and navigating Ukra requirements. Let's dive in. Thank you for being here, Thomas. 

Thank you for the invitation. 

So, um, with your software, then the customer is, um, having to let you know that there's been an anomaly, so to speak. Does the software itself that you provide, um, automatically then provide the patch or do you have to manually, uh, administer that patch? 

You need to do it manually. And, uh, that's mainly also because the products which are equipped with our software usually have a different certification process in addition. So it's industrial products and all industrial products need to go some certification for industrial use, usually using the protocols and everything else. And so you cannot automatically update it because you will lose this certification. 

Okay, I got you. All right. So I don't know if you're going to be able to answer this next one but do your best. So I don't know if this is under your purview or not. So how can machine vision systems be designed to maintain operational continuity under cyber attack or failure conditions? Do you have anything to say about that? 

That's really a difficult question. And so in the end, it turns out you need to do a risk assessment. So you need to judge yourself which risks might happen in your factory or in your machines and how to address them. And that's part of the cyber resilience that you identify those threats. Possible threats and assess it and see what you can do about it and implement and process to fix those issues. 

So as you look forward, um, what emerges, what I guess, what emerging cyber threats or regulatory developments should the machine vision professionals prepare for to stay resilient and compliant? Um, I know you're going to say install your software. Uh, so in addition to that, uh, maybe you could talk about that and also dovetailing on that. You just had your innovation day. And I know that cyber resilience was a hot topic there. Maybe you could also talk about what the people who attended Innovation Day were, were talking about with cyber resilience. 

So our software is only part of the end product which is used somewhere. So our customers need to be carefully looking at what software they are using. For example, besides our software, for example, open source has a lot of different practices and is not used in a. It's not bound to the SSRA. And so they need to, uh, make sure that the software they use is secure themselves, so they need to check it on their own. And this is one thing basically. Also on the innovation day, our customers, uh, were a bit curious because they often use some additional open source software and they were not aware that they need to take care about it themselves. And yeah, so that's the point. Basically, if you can buy something and rely on a strategic partnership or you can do it yourself, but then you're on your own and you need to do it yourself. 

Okay. Is there anything else that you wanted to touch on before I let you go? 

Yeah. So the point is maybe, um, in principle, I like cybersecurity and I think it's good, especially in the current times. But on the other hand, the regulation is quite hard. So we try to do our best and to follow the rules of course. But if we would follow every rule perfectly exact, uh, if we would understand it. So it's not easy to read those regulations. Um, there would be no innovation, uh, happen anymore because in the end, we would need to, for example, provide patches for thirty or fifty versions at the same time. And we can do this, of course, but then our programmers are doing patches all the time and not doing the innovations they need to do for the industry. And so we need to be careful about what we are doing and where we are looking at, because even if we secure our software, for example, there might be different attack vectors which are a lot bigger. And yeah, we need to check it. And it's something complicated. And, um, I'm not absolutely happy with this era, to be honest. So it goes in the right direction and I like it. But there should be some more emphasis on practical usage. 

Okay, So what would make you happy with it? 

It would make me a little bit more happy if it's more. So we had a talk to our developers and in the end it came out that there is something like compliance and there is something like security and compliance is needed. For example, we need to use some special cryptographic algorithms and others are not to be used. But in the end, it's maybe I don't care because if you can attach a debugger to your software and put the breakpoint at the right point, it's. Yeah. No, no matter which cryptographic solution you used, it will be breakable on this point. So does it really make sense to enforce it in the beginning if it can be broken later? And so yeah, compliance and security are two different points. But we need to be compliant, right? And you need to be secure too. So, uh, that is that's a between a rock and a hard place for, the companies that are looking to be cyber resilient, you know, and it also made me think, um, with this, the stringency of the regulation and, and being compliant, our, our AI, um, is there any generative AI being able to be used or is that not allowed when it comes to this? So in the end, you have to take the responsibility even if you use generative AI or not. So if you use generative AI, you need to make sure that what you use from the generative AI is secure on your own, and you can't rely on the generative AI. It's a little bit like self-driving cars. So who is responsible if such a car makes an accident? 

Right? Always the other driver. Uh, so yeah, that's interesting. Compliance is not security. They're very different. So yeah, maybe. So what? What do you see looking forward for M v tech and your cyber resilience, uh, protocols that moving forward with your software. 

So for us, it was, um, yeah, we're doing a little kind of transformation being more secure. We implemented, for example, new Z, C, D pipelines to which are totally separated from our normal network. And everything is dockerized. But it has two reasons. One is we need to be more secure. So if there's a single laptop of an, of an employee which has a virus, although it should not hurt our products. But the other point is we need to be able to provide patches up to fifteen years. So how do we do this? And even Microsoft is, for example, not prepared to do it. They offer only ten years of operating system updates and only for special releases. So how should we deliver fifteen years? Yeah. So on the Linux side, ubuntu, they provide a special way for fifteen years. And that's what we want to rely on also. But in the end, we cannot provide more than than the underlying technologies make sense and yeah. But anyway, so it's a big step for us also. And we are educating our developers. They are now more aware of security issues, of course. And I think in the end the customer will get a better software even better than before. Okay. But he needs to use it in the right way. It's like having a knife.

You can hurt yourself with a knife, or you can do whatever you want. 

Yeah. Have a good tool. Yeah. 

Well, that's a wrap for this episode of visions, produced by Endeavor Business Media, a division of endeavor B2B. Thanks very much for tuning in. If you enjoyed today's show, be sure to subscribe to the podcast and share this episode with a colleague who would find it helpful. Until our next episode, you can find us at vision dash systems dot com or on LinkedIn, Facebook, or for more insights, updates, and breaking news to keep you in the know. Thanks for tuning in. Until next time, stay focused on your visions.