Möchtest du unsere Inhalte auf Deutsch sehen?

x
x

CLAAS – Digital agriculture with secure identities for networked machines

““

You are currently viewing a placeholder content from Spotify Player. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information
Listen to the IoT Use Case Podcast on Spotify.
Listen to the IoT Use Case Podcast on Spotify.
Listen to the IoT Use Case Podcast on other platforms.

IoT Use Case Podcast #146 -secunet + CLAAS

How can CLAAS protect its agricultural machinery from unauthorized access and manipulation? In the 146th episode of the IoT Use Case Podcast, we discuss how digital identities and automated security processes make machine communication secure and efficient.

Podcast episode summary

This episode focuses on how CLAAS, one of the leading manufacturers of agricultural machinery, enhances the security and efficiency of its machines through the use of digital identities and PKI (Public Key Infrastructure). Lars Wältermann, IoT Security Manager at CLAAS, discusses the challenges of ensuring secure machine communication and avoiding risks such as unauthorized access, manipulation, and costly manual processes. Together with Friedemann Wulff-Woesten and Björn Jansen from secunet, he explains how the implementation of secunet’s “eID PKI Suite” creates automated and secure identity management processes for CLAAS machines. This ensures that communication between machines and backend systems is secure and efficient.

The podcast provides examples of how machines are equipped with digital certificates during production, which confirm their identity. Another key focus is the lifecycle management of these certificates, enabled by the secunet platform, to ensure the machines’ continued secure use.

Additionally, the vision of CLAAS is discussed, which aims to offer their customers secure and data-driven agriculture through platforms like CLAAS Connect. This platform helps farmers manage their fleets and analyze field data. The episode concludes with a look into the future of secure machine communication and the need for standardization across the industry.

Podcast interview

Today we take a look at how CLAAS, one of the leading manufacturers of agricultural machinery – you may recognize them from the field, those green combine harvesters – has worked with its IoT partner Secunet to build a secure and efficient infrastructure. How do they manage to protect hundreds of thousands of networked machines from unauthorized access and possible attacks? How does device management and the registration of a new CLAAS machine on the network work? In this episode, you will learn from CLAAS how they achieved this, with exciting insights that may also be relevant for your business.

Today I have invited Lars Wältermann, IoT Security Manager at CLAAS. Friedemann Wulff-Woesten and Björn Jansen from secunet joined us as well. We are also in the Security Special October, to coincide with the it-sa Expo&Kongress, a trade fair for IT security, which takes place in Nuremberg from October 22 to 24. If you want more information, take a look at the episode description. In the last episode, we looked at security use cases in the field of energy grids, and next week we’ll be taking a look at the shop floor. But now let’s listen to how Claas did it. Let’s go!

Hello Friedemann, hello Lars, hello Björn. Great to have you with me today. How are you all doing? Where are you right now? Friedemann, where are you?

Friedemann

I’m currently in Dresden, working from my mobile office, not on-site. I’ve set myself up here.

Very nice. Greetings to Dresden. Lars, where are you? I see what looks like a garage in the background. Can you explain for the listeners what we’re seeing?

Lars

I’m working from my home office near our main location in Harsewinkel. Right now, I’m in the basement where I sometimes work on 3D printers or other small projects.

Got it, very nice. For the listeners: You can’t see it, but Lars has a 3D printer in the background. We might talk about that later. Lars, which federal state are you in exactly?

Lars

Harsewinkel is in NRW, near Münster, Bielefeld, and Osnabrück, in the OWL region.

All right. Greetings to the region as well. Björn, where are you right now? There’s nothing in your background, so I assume you’re also in a home office. Where are you right now?

Björn

Yes, exactly. I’m working from my mobile office today.

Very nice. Let’s get started. It would be great if you could briefly introduce yourselves. Lars, let’s start with you. What exactly do you do at CLAAS? I mentioned it briefly in the intro, but could you explain in more detail what your role is at CLAAS?

Lars

Gladly. I work in central IT in IT Security Management, more precisely as IoT Security Manager. I regularly collaborate with our development team to see which projects are in the pipeline, which control units are being developed, and how we can secure them. This involves security analyses and providing key materials to ensure we offer secure products for our customers. Additionally, we focus on maintaining a secure production environment from a security perspective, which means working on OT security as well. We ensure that the CLAAS Group is also well positioned here, especially with regard to NIS2. These are the areas that I deal with every day at CLAAS.

You mentioned customers and products. Could you briefly explain who your typical customers are and what products you’re referring to in the context of IT security?

Lars

Our products include the classic machines, like combines, forage harvesters, and tractors, which our customers—farmers—use in the fields to manage their harvest processes. In addition to these physical machines, we now have many digital products as well. One example is CLAAS connect, a platform we recently revamped. It allows our customers, the farmers, to manage their fleets and analyze their fields. We’ve been offering these services for years, but now with a completely new, modern user experience. Farmers can see their annual yield and analyze what might need better fertilization next year—down to the square meter, or even more precisely, thanks to specialized signal enhancements. These are the kinds of products we offer at CLAAS.

Very exciting. That’s really interesting. I just checked out your website and will include the link in the show notes. CLAAS connect looks really impressive, so everyone should definitely check it out. Now, I have to ask: The three of you are here together today—how did this collaboration come about? Friedemann, Björn, how did you meet Lars, and how do you work together?

Lars

The topic of security on our machines and products has been a long-standing one. Over nine or ten years ago, we started this journey because we wanted to ensure that our machines communicate securely. At that point, we needed digital identities and certificates. Secunet offered us their eID PKI solution, which met our requirements for providing identities for our machines. That’s how the collaboration began, and now we’re working on more projects together. It’s not just about issuing identities, but also managing the lifecycle of those identities—how we renew certificates or identities and build processes to extend the lifespan of our vehicles and products. That’s the project we’re currently focused on.

So, if I understand correctly, with digital certificates, it’s about ensuring that as soon as a machine connects to your system and wants to communicate or exchange data, it does so securely. You have thousands of devices in the field that you connect and secure to make sure they’re safely integrated. Is that right?

Lars

Exactly. At CLAAS, we need to ensure that we know who we’re communicating with. That means we need to verify the authenticity of the machine trying to communicate with us. This also applies to future use cases like machine-to-machine communication. We need to ensure that an attacker can’t, for example, remotely control a combine harvester. For that, we need trusted identities, and those are the identities we’re talking about.

Maybe just a quick follow-up question: What I’m curious about is the overall vision of CLAAS. What is your vision in the area of IoT and security—both for CLAAS and for your customers?

Lars

Our vision at CLAAS is to provide our customers with products that help them be the best in their field. That’s the core of what we aim for with our platforms. We want to make the data that our machines collect available to our customers—securely and in compliance with data protection regulations. Our goal is to give our customers the best tools to excel in their work. This is the idea behind the IoT data and product data we provide.

[08:38] Challenges, potentials and status quo – This is what the use case looks like in practice

Friedemann, what about secunet? You’ve been working together for a while now. What project are you working on, and what exactly do you do together?

Friedemann

As Lars already mentioned, secunet provides products like the eID PKI Suite, for which we also offer product consulting. This software is developed by secunet and can be customized to meet specific customer needs. There are various modules available. What Lars and I specifically work on together involves not only the software itself but also the processes surrounding a PKI, which are often more complex. The software issues certificates, but the more challenging part of a PKI project is defining the exact processes: Which machines need which identities? We also provide consulting on this—general IT security and PKI consulting. These are the two main aspects of our work with secunet, and we do this for other products as well.

We’ve mentioned digital certificates. Could you explain what that means? How does it work when I want to register a new machine and assign it an identity? Do you have an example to make it easier to understand?

Friedemann

A simple analogy from the non-digital world would be our ID card. You can think of it like a certificate. Where do you get your ID? From the local registration office, which in the PKI world would be the Registration Authority, or RA. However, the registration office does not print the ID itself. In Germany, this is done by the Bundesdruckerei, which can be thought of as a certificate authority, or CA. That’s essentially the process. In a PKI, there’s always the question of how the initial application works. In Germany, you are issued a birth certificate, and with that, you go to a government office to get your ID card. When the ID expires, you simply go back to the registration office to get a new one based on the old one. Similarly, certificates also have an expiration date, just like an ID card. That’s the analogy.

Maybe we can build on this analogy to better understand the technical explanation. But first, a question for clarification: Why is this important? I’m asking this to bring out the business case and understand why it’s important for CLAAS to build these machine identities. Could you explain the “why” behind this project?

Lars

Historically, machines only had a serial number that could be identified locally. Nowadays, through platforms like CLAAS connect, we want to know exactly which machine collected which data and to whom it belongs. For these digital use cases, we need digital identities.
As Friedemann mentioned, you get a birth certificate when you are born. It’s similar for our machine identities. Our control units come from suppliers, and only on the production line, when the control unit is assigned to a machine, does that CLAAS machine receive its unique CLAAS identity. From that point on, we know that the physical serial number of that machine corresponds exactly to that digital identity. When the vehicle leaves the factory and operates in the fields, we have a 1:1 mapping between the physical machine and its digital identity.
This enables not only digital use cases but also practical ones, like identifying defective parts. For example, we can use telemetry data and sensors to detect early on when a replacement part is needed and ensure it is provided in time during the harvest process—anywhere in the world.

And telemetry data can be various types of information, such as job data from the field or GPS data—basically any kind of data being collected?

Lars

Exactly, yes. And many of these data points are very sensitive for the customer, such as personal or location data. That’s why we need secure communication between the machine and the backend, and in the future, even between machines. That’s why these digital identities are so important.

Let’s stick to the business case. Can you explain the business challenges behind this? You mentioned earlier that it’s crucial to know who the machine is communicating with. What’s the worst-case scenario if this doesn’t work? What business challenges have you faced in this context?

Lars

I’d like to quote our CEO, who often talks about the horror scenario of a remote-controlled combine harvester driving into a kindergarten. It’s a very graphic example, but it clearly illustrates the problem. If we can’t ensure who is communicating with the machine—whether it’s the authorized CLAAS backend service, someone standing right next to the machine, or even someone sitting on a couch at home—that person could steer the machine like a remote-controlled car. They could tell the machine to turn left or right. This is the most tangible example of why we need secure device communication.

So it’s about tamper resistance. And in the worst case, lives could be at risk. That’s a very illustrative example. Are there any other business cases, especially in connection with the certificates? Ultimately, it’s a form of device management, connecting all these machines. What would happen if you didn’t automate this? How much time and money would be lost, to put it bluntly?

Lars

Without PKI, we wouldn’t have been able to manage this manually with our current staff capacity at CLAAS. We’ve already issued over 300,000 certificates and key materials using the PKI. If we had to do all of this by hand, maybe using Excel for mappings, we simply wouldn’t be able to keep up.

That kind of manual process also introduces a lot of room for errors.

Friedemann

Exactly. Technically, what we’re doing is mapping an identity to public keys. In cryptography, you have symmetric and asymmetric encryption, and with certificates, we use asymmetric encryption. This involves a private key, which you keep secret, and a public key, which you can make public. The mapping we do links the machine’s identity, such as its serial number, to a public key.
This is similar to how a national ID card links a person’s identity to certain information. We do the same for machines. It’s automated through the PKI and not done manually in Excel. So, when the machine communicates with the backend, both sides can authenticate each other—that’s called Mutual TLS, or mTLS. That’s the goal we’re trying to achieve.

Maybe we can clarify some of the terminology here. Those in the security industry likely know these terms, but for others, it might help to give some context. Björn, can you explain what PKI and identities mean and how this mapping works?

Björn

Fundamentally, a PKI can be described as an integrated trust system for our customers who are setting up corresponding systems within their organizations.
It includes the technical aspect, such as the issuance of certificates directly on the production line, for example, for customers like CLAAS. This involves mapping the key material in the certificates to the corresponding devices and certificates. Then there’s the process side, which Friedemann and Lars have highlighted—the reliability of issuing these certificates. This allows automated processes to ensure that the person or device presenting a certificate is truly the holder of that certificate. Ultimately, it creates a trust relationship between sender and receiver.

Lars, we talked earlier about data types, such as jobs that need to be completed. What types of data are typically processed in your use cases, for example, through CLAAS connect or the PKI system? Can you give us a practical view of the kind of data you need and handle? You’ve already mentioned serial numbers, which are probably part of this data set.

Lars

We have machine-specific data such as serial numbers or telemetry data, for example, how much grain was harvested and the fuel consumption. These are metadata about the machine itself, which are collected, processed, and made available to the customer via CLAAS connect. In addition, there are machine-specific data like software update packages for control units. Here, we also use key materials to ensure that the software updates are digitally signed. This means that the machine or the control unit can verify that the update originates from a trustworthy CLAAS instance and has not been manipulated en route. This prevents, for instance, an attacker from integrating a backdoor into the software to gain remote access. We secure this with digital signatures by creating a hash of the firmware and digitally signing that hash with a private key, which is safeguarded within our PKI, including Hardware Security Modules. This significantly reduces the risk of untrusted software being run on our machines.

You’re also using secunet products. Can you briefly explain which secunet products you use to do exactly what you just described?

Lars

Yes, we use the secunet eID PKI as a platform. This platform comes with various additional modules and API interfaces. For example, through an API interface, we can create software signatures. The developer creates the software, and during the development process, a hash is generated and sent to the PKI, where it is digitally signed. That’s one use case we cover with the eID PKI. A new addition is the EST protocol, Enrollment over Secure Transport, which we want to use to renew certificates for existing machines. This is another module provided by the eID PKI. You can think of the eID PKI like a toolbox, and we’ve chosen the API interfaces and the EST protocol because they best meet our requirements and allow us to work flexibly with the control units.

Okay, I think the business case is clear—it’s about preventing manipulations that could potentially endanger lives, and it’s also about device management and certificate administration. Managing this manually with Excel sheets wouldn’t be practical, which is why you opted for an automated solution with secunet.

[22:33] Solutions, offerings and services – A look at the technologies used

Now I’d like to understand how everything works in practice. Friedemann, could you explain the overall solution you provided to CLAAS? How does that work exactly? Perhaps you could give us a brief overview, and then I’ll dig deeper into the specifics.

Friedemann

The eID PKI Suite is a software solution with various modules. For CLAAS, we installed and configured the eID PKI Suite. This suite comes in three different versions, and at CLAAS, we use the on-premise version. This means that the software runs directly on-site at CLAAS, and the key material is stored locally in HSMs, Hardware Security Modules. This is the highest level of security, as the customer has full control over the key material.
There are other deployment options as well. For example, the software could be run as a container via Docker or Kubernetes. Another option would be for our subsidiary SysEleven, a cloud provider, to handle the hosting. These three variants are available.
At CLAAS, we chose the on-premise version and installed the various modules of the eID PKI Suite as RPM packages, each tailored to the specific use case at CLAAS. As Lars has already said, there is the CMP module, Certificate Management Protocol, for certificate renewal, for example, but it is very complex. In this case, we chose EST because it’s simpler, more flexible, and runs on HTTPS. However, if other customers require CMP, ACME, or another protocol, the eID PKI Suite can be adapted accordingly.

And about the Docker container architecture—just to clarify, you use this to make device management more efficient, correct? It helps keep the management process automated and streamlined.

Friedemann

In this case, the Docker container architecture is only related to deploying the eID PKI Suite itself. We could have deployed the software at CLAAS using Docker containers, but we decided to install the packages directly. Docker containers are simply a way to ensure that all the software’s dependencies, like specific Java versions, are bundled into one image. It’s just a method for installing the software, but it doesn’t have anything to do with managing the machines themselves. It’s only about how the software that issues the certificates is installed.

I see. Lars, in the end, with this product, you can manage both machine identification and certificate renewal throughout the entire lifecycle. That’s the technical use case you’re implementing with this product, right?

Lars

Exactly. From a security perspective, we also want to reduce the lifespan of digital identities, similar to what’s happening with certificates for web services, where certificate lifetimes are typically 12 to 13 months, and there are discussions about reducing this to 3 months. The same applies to ID cards, which must also be renewed regularly. We want to ensure that the identity of the machine is renewed periodically, so we can guarantee that it’s still the same machine. That’s why the certificate renewal function in the eID PKI is important to us.

Got it. And maybe as a last technical question: Earlier, we talked about data mapping. Friedemann, Björn, can you explain how this mapping works in your product? How is it done?

Friedemann

As Lars mentioned earlier, when a new machine is registered, a certificate is issued. In the web interface of the eID PKI Suite, you can filter and view all the certificates that have been issued by a specific Certificate Authority. You can see when the certificate was issued and how long it is valid. Each certificate contains, in addition to the public key, an identifier, in this case, the Common Name. These certificates are in X.509 format and in this format there are fields such as this Common Name, or CN, which represents the name of the machine – similar to the first and last name on an ID card. This allows you to track exactly when a certificate was issued.

I see. So, this means that the connection between machines and the assignment of identities is scalable, even for thousands or hundreds of thousands of devices. The system remains flexible, no matter how many machines need to be managed. Do you typically have customers with as many devices as CLAAS, or do you also have customers with fewer devices, maybe in the range of hundreds?

Friedemann

That really depends on the type of devices. For example, the eID PKI Suite is used by automotive OEMs that manufacture cars—there, the numbers are even higher than at CLAAS, as cars are produced in much larger quantities than commercial vehicles. We also have utility companies that use it for smart meters. So, it depends on the type of products being secured. PKI is essentially a tool to achieve goals like preventing man-in-the-middle attacks. Björn, can you maybe add something about the different customer groups of the eID PKI Suite?

Björn

We have over 350 installations with our customers, and the range of applications is very diverse. Therefore, it’s not easy to pin down a specific number of issued certificates or devices. As Friedemann mentioned, it depends on the type of devices being equipped with it. The core idea is always to ensure trust between devices. When you have a certain number of devices and place importance on security, automating the process becomes essential—and this can be beneficial with as few as ten keys. The advantages lie in the convenience of being able to manage each device individually, while also being able to centrally sign software for all devices, as Lars described. Each device then knows that the software comes from a trusted source, which is a major benefit.

Yes, exactly. The use case is actually always similar – it’s about protection against manipulation, such as man-in-the-middle attacks, and about device management and certificate management. The basic idea behind your customers’ use cases therefore remains relatively the same.

Friedemann

Exactly. And perhaps as an addition to the question about exact numbers: At CLAAS, the eID PKI Suite is installed on-premise, which means that secunet—so, Björn and I—don’t actually have access to see how many certificates have been issued. That remains fully under CLAAS’s control and is confidential. We don’t have insight into the exact numbers, and that’s how it should be, as it’s up to the customer.

Yes, that makes total sense. If anyone listening has a similar use case or would like to address this topic, I can include your contact details in the show notes if that’s okay with you. Interested parties can then contact you afterwards and discuss their own use case to take advantage of the benefits. I’ll also include further details about the project in the show notes so that people can read more about it. For my last question today, I’d like to look toward the future. Lars, where do you see the biggest challenges and opportunities in the future of connected agricultural machinery, based on what we’ve discussed today? What challenges could you or the industry face in the future?

Lars

From the CLAAS perspective, one of the biggest challenges is definitely the implementation of lifecycle processes for all vehicles and machines. For the industry as a whole, it will also be a challenge to connect the different manufacturers. That’s what the AIF working group is for. For example, if a John Deere tractor is working alongside a CLAAS combine harvester and you want to transfer the grain, there could be future communication use cases. I think the challenge will not only be the technical implementation but also establishing the trust model we use for our machines across the entire industry.

So, it’s also about standardization between manufacturers, which is likely the task of the working group you mentioned. That sounds very sensible. It’s exciting that you brought that up because I was wondering how collaboration between competitors in the industry works. It’s an interesting outlook that you’re focusing on integrating customer and service provider data holistically. Thanks so much for sharing your insights today. I have a lot more questions, but we can discuss those another time. Feel free to reach out to Björn, Friedemann, or you, Lars, for more in-depth discussions. Thanks again for being here and for presenting such a concrete customer case about how CLAAS is approaching this. I’ll leave the final word to you all. Thanks again for joining us.

Friedemann

Yes, thank you. It was a lot of fun. I’m glad you could join us, Lars, and that it worked out. I think it’s great. Thank you.

Lars

Likewise! Thank you, it was a great experience, really enjoyed it. Thank you.

Björn

Thanks from my side as well for the great exchange.

Great, thanks so much. Wishing you all a wonderful rest of the week. Take care, bye!

Friedemann

Thank you. Bye!

Please do not hesitate to contact me if you have any questions.

Questions? Contact Madeleine Mickeleit

Ing. Madeleine Mickeleit

Host & General Manager
IoT Use Case Podcast