Compliance and Security is Management Responsibility in Times of Industry 4.0 and Digitization

Within the framework of Industry 4.0, the networking of industrial plants, processes and communication on the basis of continuous digitization is an elementary prerequisite. Important data becomes visible for new user groups and a data exchange/ comparison between the production systems takes place in manufacturing. The cross-company coupling of entire factories, which coordinate interactively, will be a production factor in Industry 4.0 solutions in the near future. As a result, these environments are exposed to the same threats as standard IT.

The challenge of making data available to users at any time and any place requires a sound security strategy in the company. The availability of systems and data protection must be an integral part of risk management and are therefore management responsibility.

In the past, security considerations were mainly limited to the office environment and the data center, but digitization in manufacturing has created completely new areas of consideration. Requirements from classic IT security are now also relevant for digitized production systems. The continuous availability of the systems must be ensured, as must the continuous updating of system security throughout the entire lifecycle. In order to efficiently master this balancing act between availability and security at the level of shop floor IT, novel concepts are required.

The introduction of new communication channels and the necessary technologies requires sound planning. Current conditions often pose high hurdles. In the past, production systems were not necessarily kept at the latest operating system and patch level; secure and hardened networks are rarely found in production environments.

For this reason, a basic planning of all necessary communication channels under close consideration of the security requirements is an absolute necessity. In addition to the basic IT security requirements according to ISO 7498-2 such as authentication, access control, data confidentiality, data integrity and non-repudiation, more extensive considerations are required in production environments. External influences on networks, such as EMV, require special measures. The use of camera systems for the control and inspection of production facilities is subject to compliance guidelines such as DSGVO. The operation of so-called "unmanaged devices" such as smartphones or tablets must be planned and implemented precisely.

Future remote maintenance solutions will monitor production machines in real time and transmit data to control stations or as a mobility solution to maintenance personnel. Data collection on capacity utilization, throughput times or individual control require secure connections and environments.

The basis for a secure environment is a well-founded risk analysis that considers the required availability as well as possible threat scenarios. A risk analysis includes the current conditions and necessary measures over the entire lifecycle of the environment. Security is not a static measure but requires continuous observation and control.

Baseline situation

Nowadays, production systems usually operate autonomously without connection to other systems and are not integrated into network environments. In a successful industry 4.0 project, however, these systems must communicate with each other. Regardless of whether this status information is transmitted to a control station in the digital production environment, coordinated with subsequent production systems, or data provision for analysis, the data must be interpretable and binding. The data must be classified according to protection requirements and appropriate measures planned.

A further essential point is missing know-how and understanding in the enterprise. Here special attention is to be directed to the development of the authority of the coworkers by e.g. training courses.

Procedure model

Security and compliance measures must be implemented as a parallel goal in every digitization project.

A three-stage procedure model is recommended:

1. Phase 1 - Planning before commissioning

  • Determination of communication requirements and paths
  1. Data exchange from and to systems / users
  2. Encodings
  3. Remote maintenance
  • Capture network structure and segmentation requirements
  • Recording of safety-relevant hazards - Risk assessment of the actual situation (values/data requiring protection)
  • Creation of a catalogue of measures
    • General IT Basic Protection (BSI)
    • Rights and roles concept
    • Special measures in the production environment (VDI VDE 2182 Information security in industrial automation)
    • Availability requirements
  • Definition, prioritisation and implementation of the catalogue of measures
  • Creating a security policy
  • Definition of a security policy for suppliers and subcontractors
    • Communication channels
    • Conformity testing of the supply components
  • Establish Security Monitoring / Control Center (SIEM-System - Security Information and Event Monitoring)
  • Planning and implementation of a backup strategy/system
  • Appointment of a Security Manager
  • Training
  • Documentation
    • Security Concept / Policy
    • Safety-relevant organizational and technical processes
    • Machine inventory with current patch and version statuses

2. Phase 2 - Security management during operation

  • Regular auditing of the specifications
  • Implementation of adjustments
  • Monitoring of data and protocol streams for anomalies in real time
  • Regular training

3. Phase 3 - Continuous maintenance of the environment

  • Regular audits and penetration tests
  • Regular/ prompt patch and update measures over the entire lifecycle
  • Updating the security environment in the event of a change in the threat situation
  • Integration of new devices, sensors/actuators and applications according to security guidelines
  • In the event of production changeover, check of the entire security scope
  • Regular control of the backup systems / strategy

Case Study

©MONOPOLY919/shutterstock.com

End-to-end digitization

ROI realized an "end-to-end digitization" project with a global bed manufacturer that took into account all relevant stages of Value creation: from the customer experience to ordering, production and logistics.

Case Study

Bild eines Monitors der das Haus steuert
©zhu difeng/shutterstock.com

Transformation through Smart Products Development

A strong development team had solid successes with a manufacturer of household appliances. But now customers want to network kitchen machines, refrigerators and mixers in the "Smart Home". ROI established an "I-Team" with the fresh view of "Digital Natives" and accompanied the internal change.

Case Study

Mann vor einem Laptop mit Digital Twin am Bildschirm
©FERNANDO BLANCO CALZADA/shutterstock.com

Development of a digital twin to increase quality and productivity

An automotive supplier improved the transparency of work and organizational processes in a production plant for dashboards.

With a "Digital Process Twin" from ROI, the company reduced the reject rate and made improvement potentials in its Value creation networks visible.

Case Study

Zwei sitzende Frauen klatschen
Lean Digital Manager ©S_L/shutterstock.com

Lean Digital Manager

The ROI certification program for "Lean Digital Manager" shows how digitization of Lean Production works. It combines Lean Management strategies with industry 4.0 technologies.

Case Study

Zwei Männer vor einem Computer
©Alessandro Romagnoli/shutterstock.com

Agile methods in software development

An energy company wanted to take the performance of its global R&D organization to a new level. In a first step, together with ROI, it obtained an overall overview of the degree of agilisation of the various R&D units and processes.