Cyber Security FAQ for B&R Automation Users

Share Info & Ideas How-To & Wikis
1

Cyber Security FAQ for B&R Automation Users

Industrial automation systems must remain secure, reliable, and protected throughout their entire lifecycle. :detective:

This post provides a collection of customer‑focused Cyber Security FAQs tailored to B&R products and technologies. :page_facing_up:

If you’re looking for a broader introduction to cybersecurity at B&R including more resources - please check out the related community article here:
:backhand_index_pointing_right: Cyber Security for B&R Applications

1. How can I secure access to my controller?

B&R supports authentication for connecting to the controller using the RBAC system with username and password. The communication channel should additionally be secured by using TLS 1.3, and access can be further restricted through client authentication based on mTLS.

For integrating the controller into the customer’s network architecture, B&R recommends following the ABB ICS Reference Architecture. External access should generally only be implemented via VPN solutions (e.g., using B&R Secure Remote Maintenance).

2. How can we handle Certificates with Automation Studio and Automation Runtime?

It is recommended to use a managed certificate store and OPC UA.

3. How does B&R ensure that software updates are trustworthy?

All B&R update packages are delivered as digitally signed installers, ensuring authenticity and integrity.
Updates can be applied through:

  • Automation Studio

  • Runtime Utility Center (RUC)

  • USB / offline media

  • IoT or edge‑based deployment workflows

4. What is the recommended secure process for updating devices?

  • Use only signed B&R update packages

  • Limit update permissions to authorized staff

  • Use TLS‑protected channels for remote transfers

  • Apply RBAC (Role‑Based Access Control) on all interfaces and provide access by applying the least privilege principle

5. How can I quickly restore my machine after a failure or incident?

MpBackup lets you store a secure, validated version of your automation software.
This allows quick restoration after:

  • Hardware replacement

  • Service intervention

  • System misconfiguration

6. Does B&R provide security documentation for its products?

Active‑lifecycle products include security‑related documentation such as intended use, security capabilities and recommended protection concepts. The documentation is being expanded gradually.
Available here: :link: Automation Help

7. How can I subscribe to B&R or ABB security notifications?

You will find more details and subscribe here:

Subscriptions allow you to stay informed about relevant security advisories.

8. How does B&R handle security vulnerabilities?

B&R is certified for IEC 62443-4-1 and handles vulnerabilities aligned with this standard. B&R communicates vulnerabilities in Security Advisories and Releases Notes of the products.

A list can be found here: :link: Security Advisories

9. Are B&R development processes aligned with international cybersecurity standards?

Yes.
B&R’s product development process is certified according to IEC 62443‑4‑1, an internationally recognized standard for secure product development.

10. Does Automation Studio support secure‑by‑default configurations?

Yes.
Automation Studio uses secure defaults and any deviation from secure configuration settings is explicitly visible to the user. This helps integrators recognize and avoid insecure settings. Implementing the secure-by-default paradigm for all products is an ongoing process.

11. How does B&R ensure the authenticity and integrity of its hardware and software?

B&R uses secure building environments, protected development systems, and digitally signed software packages to ensure that both hardware and software shipped to customers are trustworthy and genuine.

12. Does B&R scan software for malware before release?

All new products are developed in alignment with IEC 62443-4-1 and have been scanned prior to release.

13. Does B&R provide a Software Bill of Materials (SBOM)?

Yes.
A Software Bill of Materials (SBOM) for Automation Runtime is available upon request even though it is not legally required for machine builders to fulfill CRA requirements.
It lists all included third‑party and open‑source components, helping customers maintain transparency in their machine software stacks.

14. Why is physical access protection so important?

Physical access protection provides a strong, cost-effective first layer of cybersecurity, like locking your front door to safeguard your entire home, making it much harder for attackers to even reach industrial devices such as PLCs, switches, or ports in the first place. Without it, a risk analysis may require implementing countermeasures on every single device, such as individual hardened enclosures, or sealed interfaces, which increases complexity and costs significantly. Even when outer access is securely locked, based on that analysis such targeted device-level protections may still be necessary as additional layers to fully mitigate remaining threats in critical OT environments where production safety and uptime are non-negotiable.

15. How can I determine whether a security advisory affects my machine?

  • Each advisory clearly lists:

  • Affected product families

  • Affected versions

  • Impact description

  • Recommended actions

  • Machine builders and operators can quickly assess whether their configuration is impacted and respond accordingly.

7 Likes
Cyber Security for B&R Applications - FAQ, Learning Resources & Contact Points