Compliance & Security

Within the framework of Industry 4.0, the networking of industrial plants, processes and communication on the basis of continuous digitization is an elementary prerequisite. Important data becomes visible for new user groups and a data exchange/ comparison between the production systems takes place in manufacturing. The cross-company coupling of entire factories, which coordinate interactively, will be a production factor in Industry 4.0 solutions in the near future. As a result, these environments are exposed to the same threats as standard IT.

The challenge of making data available to users at any time and any place requires a sound security strategy in the company. The availability of systems and data protection must be an integral part of risk management and are therefore management responsibility.

In the past, security considerations were mainly limited to the office environment and the data center, but digitization in manufacturing has created completely new areas of consideration. Requirements from classic IT security are now also relevant for digitized production systems. The continuous availability of the systems must be ensured, as must the continuous updating of system security throughout the entire lifecycle. In order to efficiently master this balancing act between availability and security at the level of shop floor IT, novel concepts are required.

The introduction of new communication channels and the necessary technologies requires sound planning. Current conditions often pose high hurdles. In the past, production systems were not necessarily kept at the latest operating system and patch level; secure and hardened networks are rarely found in production environments.

For this reason, a basic planning of all necessary communication channels under close consideration of the security requirements is an absolute necessity. In addition to the basic IT security requirements according to ISO 7498-2 such as authentication, access control, data confidentiality, data integrity and non-repudiation, more extensive considerations are required in production environments. External influences on networks, such as EMV, require special measures. The use of camera systems for the control and inspection of production facilities is subject to compliance guidelines such as DSGVO. The operation of so-called "unmanaged devices" such as smartphones or tablets must be planned and implemented precisely.

Future remote maintenance solutions will monitor production machines in real time and transmit data to control stations or as a mobility solution to maintenance personnel. Data collection on capacity utilization, throughput times or individual control require secure connections and environments.

The basis for a secure environment is a well-founded risk analysis that considers the required availability as well as possible threat scenarios. A risk analysis includes the current conditions and necessary measures over the entire lifecycle of the environment. Security is not a static measure but requires continuous observation and control.

Baseline situation

Nowadays, production systems usually operate autonomously without connection to other systems and are not integrated into network environments. In a successful industry 4.0 project, however, these systems must communicate with each other. Regardless of whether this status information is transmitted to a control station in the digital production environment, coordinated with subsequent production systems, or data provision for analysis, the data must be interpretable and binding. The data must be classified according to protection requirements and appropriate measures planned.

A further essential point is missing know-how and understanding in the enterprise. Here special attention is to be directed to the development of the authority of the coworkers by e.g. training courses.

Procedure model

Security and compliance measures must be implemented as a parallel goal in every digitization project.

A three-stage procedure model is recommended:

1. Phase – Planning before commissioning

  • Determination of communication requirements and paths
  1. Data exchange from and to systems / users
  2. Encodings
  3. Remote maintenance
  • Capture network structure and segmentation requirements
  • Recording of safety-relevant hazards - Risk assessment of the actual situation (values/data requiring protection)
  • Creation of a catalogue of measures
    • General IT Basic Protection (BSI)
    • Rights and roles concept
    • Special measures in the production environment (VDI VDE 2182 Information security in industrial automation)
    • Availability requirements
  • Definition, prioritisation and implementation of the catalogue of measures
  • Creating a security policy
  • Definition of a security policy for suppliers and subcontractors
    • Communication channels
    • Conformity testing of the supply components
  • Establish Security Monitoring / Control Center (SIEM-System - Security Information and Event Monitoring)
  • Planning and implementation of a backup strategy/system
  • Appointment of a Security Manager
  • Training
  • Documentation
    • Security Concept / Policy
    • Safety-relevant organizational and technical processes
    • Machine inventory with current patch and version statuses

2. Phase – Security management during operation

  • Regular auditing of the specifications
  • Implementation of adjustments
  • Monitoring of data and protocol streams for anomalies in real time
  • Regular training

3. Phase – Continuous maintenance of the environment

  • Regular audits and penetration tests
  • Regular/ prompt patch and update measures over the entire lifecycle
  • Updating the security environment in the event of a change in the threat situation
  • Integration of new devices, sensors/actuators and applications according to security guidelines
  • In the event of production changeover, check of the entire security scope
  • Regular control of the backup systems / strategy
Bild eines Monitors der das Haus steuert
©zhu difeng/shutterstock.com
Case Study

Transformation through smart product development. A job for the "I-Team": A strong development team at a manufacturer of household appliances recorded solid success. But now customers want to network kitchen appliances, refrigerators and mixers in the “smart home”. ROI-EFESO established an "I-Team" with the fresh perspective of "digital natives" and accompanied the internal change with great success.

Mann mit futuristischem Tablet in einer Fabrik mit End-to-End Digitalisierung
©MONOPOLY919/shutterstock.com
Case Study

In the furniture industry, the use of digital technologies can pay off in several ways: with virtual reality, big data analytics or online configurators, additional sales channels can be opened up. With a globally represented bed manufacturer, ROI-EFESO implemented an "end-to-end digitization" project that took into account all relevant stages of value creation: from the customer experience to ordering to production and logistics.

Case Study

An automotive supplier improved the transparency of work and organizational processes in a production plant for dashboards. With a "Digital Process Twin" from ROI-EFESO, the company reduced the reject rate and made improvement potentials in its value creation networks visible.

Zwei sitzende Frauen klatschen
Lean Digital Manager ©S_L/shutterstock.com
Case Study

Shaping the factory of the future with Lean 4.0. How can lean principles be combined with the technologies and possibilities of networked digitization in value creation networks? By further qualifying employees to become decision-makers. The ROI-EFESO certification program for "Lean Digital Manager" shows how digitalization of lean production works. To do this, it combines strategies with Industry 4.0 technologies.

Zwei Maenner vor einem Computer
©Alessandro Romagnoli/shutterstock.com
Case Study

The energy market is data-driven, smart solutions determine the business model. In order to always be a step ahead of the competition, one thing is required: flexibility in thinking and acting. A utility company wanted to take the performance of its global R&D organization to a new level. In the first step, together with ROI-EFESO, it obtained a general overview of the respective degree of agilization of the various R&D units and processes.