Abstract
Recent developments in the manufacturing industry are linked to the systematical adoption and deployment of cyber-physical systems (CPS) that monitor and synchronize information between the physical factory floor and the cyber-computational space providing advanced information analytics. While it is widely recognized in literature that the related trend of transforming the manufacturing industry, the so-called industry 4.0, leads to distinct interventions in operations of businesses and public organizations, appropriate governance practices still need to be established. This paper uses a detailed overview on changes going along with the emergence of CPS and industry 4.0 to point out requirements for IT governance approaches supporting the adoption of CPS. The observations are illustrated for an example using the COBIT 5 governance of IT framework.
You have full access to this open access chapter, Download conference paper PDF
1 Introduction
An important technological characteristic of industry 4.0 and related cyber-physical systems (CPS) is the interconnectivity of the physical world with the virtual one. While CPS are defined as physical and engineered systems whose operations are monitored, coordinated, controlled, and integrated by a computing and communication core [23], industry 4.0 is seen as the trend transforming manufacturing industry to the next generation by systematical deployment of CPS [19]. Industry has already recognized the benefits of using the data generated during machine use. Sensors are attached to machines and monitor the health status of the plants. In industry 4.0, this idea is retained, but supplemented by the possibility of predicting the conditions of the plant, controlling it, and taking independent actions. The interaction between sensors and actuators is a significant difference to the already existing embedded systems which are based on programmable logic controllers. There is an amalgamation between the physical and the virtual software level which cannot be differentiated distinctly anymore. In this way, physical processes get monitored, and a virtual copy of the actual situation is created. This virtual plant is the initial point for simulations, based on algorithms. Real-time decisions can then be made on the basis of a fusion of virtual and physical world. The plant identifies its own status, the next working steps as well as the status of the other machines just in time and adapts itself independently to the changing environment. To implement real-time decisions and actions there is a need of low vertical integration. Thus, an important plant design factor is decentralization [4] which allows machines to take independent actions, e.g., in case of a machine failure, to re-route the product to a different plant. In order to guarantee an information exchange of all components, the product must also have similar characteristics, i.e., become a so-called “smart product”. That means, it must provide information on its location and store current assets that it run through in order to enable control. This process is supported by radio frequency identification (RFID) technology [9]. Resulting from the new technologies and the adaptation of the machines to the conversion, by the implementation of sensors, actuators and RFID a huge expanse of new data is generated, that needs to be stored, correctly filtered, analyzed and distributed to the right places. In order to handle the data correctly and thus to solve complex algorithms, the computational performance of today’s monolithic controllers is not sufficient. In industry 4.0, cloud computing plays a key role for the infrastructural solutions in information technology (IT). Cloud computing allows to control systems and also parts of the machines autonomously via the infrastructure provided by the cloud. In this way, data intensive tasks can be outsourced to the cloud. Sensors and actuators are the only components remaining as a local resource on the machine itself. The big advantage is an easy centralized data storage and analysis space with large computational power that continuously provides access to at all plants. Small businesses can in particular benefit from using already existing infrastructure, without investing in its own expensive IT solutions. Still there are significant concerns regarding the data security of this application. Enterprises are hesitant to provide sensitive internal data to external servers that can be exposed to cyber-attacks.
This development poses new challenges for the governance of data and IT that are reflected in studies on respective IT governance frameworks such as COBIT. Margaria et al. [21] raise the question which IT governance is needed for distributed intelligent CPS, composing a list of the most urgent governance issues for CPS. Moreover, Wolden et al. [26] examine the effectiveness of COBIT 5 information security framework for reducing cyber-attacks on a supply chain management system. Bartens et al. [3] have demonstrated that an infrastructural development such as the emergence of industry 4.0 may require a bottom-up analysis and implementation of IT governance, while Schulte et al. [25] have discussed challenges that arise from open data which is inherent in CPS. These studies build the foundation for CPS governance, but do not extensively address IT governance issues coming up with the development of CPS. We provide a detailed overview on changes going along with the emergence of CPS and industry 4.0 and discuss necessary adjustments of current IT governance approaches. We use the COBIT 5 framework to illustrate how current IT governance practices address the detected challenges.
The remainder of this article is structured in the following way. After a review of related work in Sect. 2, we introduce the transformational process of industry 4.0 and governance implications in Sect. 3. On this foundation, Sect. 4 discusses challenges and analyzes requirements for IT governance arising from CPS and especially the trend of industry 4.0. Finally, Section 5 concludes the study and gives an outlook on future research.
2 Related Work
Academic endeavors related to IT governance for CPS and industry 4.0 can be separated in four major building blocks: literature on CPS, studies on industry 4.0, related governance approaches, and research on current IT governance issues. Table 1 comprises related work according to this classification. CPS have recently received significant attention, e.g., among researchers working on manufacturing systems [19] and systems design [17], while other works focused on security issues emerging from the deployment of CPS [10]. Ensuring safety, stability, and performance of CPS while minimizing costs of CPS are widely seen as important challenges [2]. These challenges are especially severe since the application of CPS is considered a distinct intervention in operations of businesses and public organizations [23]. Related to the research focus on manufacturing, industry 4.0 is seen as the trend transforming manufacturing industry to the generation of CPS [19]. Hermann et al. [12] identify six design principles for implementations industry 4.0: interoperability, virtualization, decentralization, real-time capability, service orientation, and modularity. Lee et al. [20] emphasize the importance of smart analytics and service innovation in the context of industry 4.0. Gorecky et al. [11] state that development of industry 4.0 will be accompanied by changing tasks and demands for the human in the factory and elaborate on human aspects in the design of industry 4.0. Moreover, Lasi et al. [15] describe an application-pull and a technology-push as driving forces behind industry 4.0. Especially, the two latter studies directly point to important issues in governance and (bi-directional) IT/business alignment. While the aforementioned works focused on issues implicitly requiring to re-think (IT) governance for CPS, other studies explicitly address governance issues for CPS. Among these works, Schirner et al. [24] elaborate on the issue of shared governance between humans and robotics in CPS, while Margaria et al. [21] summarize IT governance issues for CPS. Broy et al. [5], on the other hand, mention the human-system cooperation, usability and safety, i.e., also deal with questions of shared control, transparency/controllability, and integrated models for human-machine interaction. Kosub [14] calls for cyber risk governance to address risks imposed even by small groups of individuals to threat CPS by attacking electronic components monitoring and controlling physical entities such as, e.g., embedded systems in trains or airplanes. Abbas et al. [1] furthermore proclaim structured mechanisms for conformance testing as falsification for CPS. Finally, some authors examine related issues in the attempt to advance IT governance, data governance, and IT governance frameworks. Studies on data governance [6, 13] emphasize the need for improved compliance, security, and performance in dealing with extended volume and variety as well as velocity of data transactions that are associated with technological developments such as CPS. Other studies rather focus on the development of IT governance frameworks [7, 8], where COBIT 5 is frequently used, e.g., as an information security framework for reducing cyber attacks [26].
Summarizing, it can be stated that the transformational impact of CPS in industry and public organizations is widely recognized, while the development of specific (IT) governance approaches lags these insights.
3 The Industry 4.0 Transformation Process
Table 2 gives an overview about the changes towards industry 4.0 and illustrates the interfaces in which big amounts of data are generated. The table gives explicit information about the kind of data that is produced, by the different players in a smart factory. The smart product was added as an important data enabler in industry 4.0, since information about the usage, based on dynamic data, is going to be an essential competitive advantage. In the aerospace industry, e.g., generated data from air fleets is already used to forecast the remaining life time of turbines. Therefore, an exchange of the used parts takes only place, when needed. Simulations, based on the data, can forecast the regular wear under different environmental influences, like temperature or number of revolutions. A nearly optimal utilization is promised. Other than that sensors and controllers are the main data drivers in industry 4.0. CPS include embedded systems, which on one hand, are equipped with sensors for the acquisition of data and, on the other hand, actuators for activating or influencing processes. Consequently, sensors produce a lot of process data, like position of the component or its torque. Storing this data over time, gives a good data base for further simulations. Controllers are used to operate different tasks. The data created by the controllers can be mainly distinguished into processor data and machine data. Processor data is used to enable a successful data transmission and does not give information to the user about the machine itself, e.g., the data origin or its destination address. Machine data is the genuine data the controller allocates, e.g., the availability of the machine or its workload. These mentioned data types are the cornerstones for an efficient implementation of industry 4.0 visions.
4 IT Governance for Cyber-Physical Systems
IT governance for CPS may be discussed on a conceptual level or based on specific frameworks. This section first discusses general IT governance issues (Sect. 4.1) related to CPS and then presents an example of the IT governance framework COBIT 5 (Sect. 4.2).
4.1 IT Governance
Properly applied IT systems can add great value to businesses. In this context, IT governance formulates and implements IT strategies to ensure that IT supports the company’s strategies and objectives. The two main tasks of IT governance are first performance and second conformance. Performance is understood the task as to control or influence the effectiveness of the company’s activities and hence to create enterprise value. Increasing performance requires, e.g., scaling big amounts of data and parallelizing processes. Conformance, on the other hand, describes the compliance with standards, norms, and above all with legal constrains. Here, IT governance models take the important role of minimizing the IT risks, caused by illegal actions, e.g., cyber-security threats. This sphere decides on how to reach the company goals in the best possible way, implementing IT. The strategy has to be planned, and a decision on a technical infrastructure has to be made. Additional input is provided by the monitoring and evaluating sphere as shown in Fig. 1.
A conceptual model of IT governance adapted from [22]
In industry 4.0, self adapting dynamic systems need a new planning approach, since the whole system is made of different single elements which are built up on each other and interact with each other. Autonomous decision making changes the situations independently so that dynamic planning approaches become necessary. Planning the technical infrastructure is challenging as well as large amounts of data must be transferred, which is the reason why companies must be able to rely on reliable and fast communication networks. This process shows the changes that have to be made to meet the required settings before implementing the strategy. Thereby, also acquisition and maintenance of software are key aspects of this domain. In industry 4.0, there will be a need for uniform software standards. Different external and internal rudiments can make the interconnected cooperation considerably more difficult or impossible. A unification across all sectors, however, could quickly meet the limits of complexity. Delivery and support deliver IT services. Covered areas in this domain are supplier management and general administration tasks. However, it also includes system security management. With the new technologies and interfaces in industry 4.0 new security threats can arise. Manipulation of location data on transmitters, i.e., can cause the companies a lot of harm. The interconnectivity of the sensors with the whole system raises the threat of wrongly edited processes which never occurred in such a manner in the factory. To meet quality requirements and legal law constrains, monitoring and evaluating has a controlling character in the whole process. Here, the focus is on being informed about external and internal restrictions and guaranteeing their execution through all layers. Legal constrains are determined by the individual states, which also applies to services like the cloud. Companies may need to take setbacks in the disclosure of their sensitive data to use the new technologies.
4.2 An Example of COBIT 5
COBIT 5, as a widely applied IT governance framework [8], uses a goal cascade that breaks down enterprise goals to IT-related goals as illustrated in Table 3. Moreover, COBIT 5 defines processes associated with certain activities to grant that the goals are reached. The different types of COBIT goals and processes may be used to assess how the framework addresses challenges arising with emergence of CPS and industry 4.0. In Table 3 a specific example of networked industry hardware is related to COBIT 5 goals and processes. It is obvious to see that several important governance issues related to the example are addressed by COBIT 5 on a strategic level. Nonetheless, non of these strategic goals and processes would likely have prevented the incident of the example. Hence, the readiness of COBIT 5 for CPS security depends a lot on the lower level configuration in implementations of the framework. That means, how subordinate process goals and related metrics are defined plays a significant role for the degree of security enforced by a COBIT 5 implementation.
5 Conclusion
Prior work has pointed out the importance of changes induced by the emergence of CPS in industry; Lee et al. [19], e.g., recently proposed a CPS architecture for industry 4.0-based manufacturing systems. Nevertheless, there is a lack of literature addressing related governance and IT governance issues. In this work, we have summarized the transformational process of industry 4.0 in order to link this development to important IT governance requirements. We found that current IT governance practices generally cover fundamentals to match these requirements, but also depend on CPS-aware configuration or implementation. This study extends findings by Wolden et al. [26], looking at diverse aspects of CPS for IT governance and thus adds to insights on how COBIT 5 deals with cyber-risks within a supply chain. In addition, we have used a recent example to illustrate how COBIT 5 uses enterprise, IT-related goals, and processes to implement CPS strategies. This study therefore indicates that IT governance frameworks are indeed useful to prepare enterprises and organizations for CPS challenges, but might need to put more weight on specific issues and provide respective guidance for configuration. Although, in this work we have reviewed detailed implications of CPS on (IT) governance, no extensive approach for CPS-ready IT governance has been elaborated. The development of more detailed proposals for an altered IT governance for CPS and autonomous systems will therefore be part of future work.
References
Abbas, H., Hoxha, B., Fainekos, G., Deshmukh, J.V., Kapinski, J., Ueda, K.: Conformance testing as falsification for cyber-physical systems. Technicla report (2014). arXiv preprint arXiv:1401.5200
Baheti, R., Gill, H.: Cyber-physical systems. In: The Impact of Control Technology, vol. 12, pp. 161–166 (2011)
Bartens, Y., Chunpir, H.I., Schulte, F., Voß, S.: Business/IT alignment in two-sided markets: a COBIT 5 analysis for media streaming business models. In: Strategic IT Governance and Alignment in Business Settings, pp. 82–111. IGI Global (2017)
Brettel, M., Friederichsen, N., Keller, M., Rosenberg, M.: How virtualization, decentralization and network building change the manufacturing landscape: an industry 4.0 perspective. Int. J. Mech. Ind. Sci. Eng. 8(1), 37–44 (2014)
Broy, M., Cengarle, M.V., Geisberger, E.: Cyber-physical systems: imminent challenges. In: Calinescu, R., Garlan, D. (eds.) Monterey Workshop 2012. LNCS, vol. 7539, pp. 1–28. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34059-8_1
Cheong, L.K., Chang, V.: The need for data governance: a case study. In: Proceedings of the 18th Australasian Conference on Information Systems, pp. 999–1008. Association for Information Systems (2007)
De Haes, S., Debreceny, R., Van Grembergen, W.: Understanding the core concepts in COBIT 5. ISACA J. 5, 1–8 (2013)
De Haes, S., Van Grembergen, W.: COBIT as a framework for enterprise governance of IT. In: de Haes, S., Van Grembergen, W. (eds.) Enterprise Governance of Information Technology, pp. 103–128. Springer, Switzerland (2015)
Floerkemeier, C., Lampe, M.: Issues with RFID usage in ubiquitous computing applications. In: Ferscha, A., Mattern, F. (eds.) Pervasive 2004. LNCS, vol. 3001, pp. 188–193. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24646-6_13
Genge, B., Siaterlis, C., Fovino, I.N., Masera, M.: A cyber-physical experimentation environment for the security analysis of networked industrial control systems. Comput. Electr. Eng. 38(5), 1146–1161 (2012)
Gorecky, D., Schmitt, M., Loskyll, M., Zühlke, D.: Human-machine-interaction in the industry 4.0 era. In: 12th IEEE International Conference on Industrial Informatics (INDIN), pp. 289–294. IEEE (2014)
Hermann, M., Pentek, T., Otto, B.: Design principles for Industrie 4.0 scenarios. In: 49th Hawaii International Conference on System Sciences (HICSS), pp. 3928–3937. IEEE (2016)
Hüner, K.M., Ofner, M., Otto, B.: Towards a maturity model for corporate data quality management. In: Proceedings of the 2009 ACM Symposium on Applied Computing, pp. 231–238. ACM (2009)
Kosub, T.: Components and challenges of integrated cyber risk management. Zeitschrift für die gesamte Versicherungswissenschaft 104(5), 615–634 (2015)
Lasi, H., Fettke, P., Kemper, H.G., Feld, T., Hoffmann, M.: Industry 4.0. Bus. Inf. Syst. Eng. 6(4), 239 (2014)
Lee, D.: Ukraine power cut ‘was cyber-attack’ (2017). http://www.bbc.com/news/technology-38573074
Lee, E.A.: Cyber physical systems: design challenges. In: 11th IEEE International Symposium on Object Oriented Real-Time Distributed Computing (ISORC), pp. 363–369. IEEE (2008)
Lee, J., Bagheri, B., Kao, H.A.: Recent advances and trends of cyber-physical systems and big data analytics in industrial informatics. In: Proceedings of the International Conference on Industrial Informatics (INDIN), pp. 1–6 (2014)
Lee, J., Bagheri, B., Ka, H.A.: A cyber-physical systems architecture for industry 4.0-based manufacturing systems. Manuf. Lett. 3, 18–23 (2015)
Lee, J., Kao, H.A., Yang, S.: Service innovation and smart analytics for industry 4.0 and big data environment. Procedia Cirp 16, 3–8 (2014)
Margaria, T.: Which it governance for distributed intelligent cyber-physical systems?. In: 39th Annual Computer Software and Applications Conference (COMPSAC), pp. 46–47. IEEE (2015)
Meyer, M., Zarnekow, R., Kolbe, L.M.: It-Governance. Wirtschaftsinformatik 45(4), 445–448 (2003)
Rajkumar, R.R., Lee, I., Sha, L., Stankovic, J.: Cyber-physical systems: the next computing revolution. In: Proceedings of the 47th Design Automation Conference, pp. 731–736. ACM (2010)
Schirner, G., Erdogmus, D., Chowdhury, K., Padir, T.: The future of human-in-the-loop cyber-physical systems. Computer 46(1), 36–45 (2013)
Schulte, F., Chunpir, H.I., Voß, S.: Open data evolution in information systems research: considering cases of data-intensive transportation and grid systems. In: Marcus, A. (ed.) DUXU 2016. LNCS, vol. 9748, pp. 193–201. Springer, Cham (2016). doi:10.1007/978-3-319-40406-6_18
Wolden, M., Valverde, R., Talla, M.: The effectiveness of COBIT 5 information security framework for reducing cyber attacks on supply chain management system. IFAC-PapersOnLine 48(3), 1846–1852 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Savtschenko, M., Schulte, F., Voß, S. (2017). IT Governance for Cyber-Physical Systems: The Case of Industry 4.0. In: Marcus, A., Wang, W. (eds) Design, User Experience, and Usability: Theory, Methodology, and Management. DUXU 2017. Lecture Notes in Computer Science(), vol 10288. Springer, Cham. https://doi.org/10.1007/978-3-319-58634-2_48
Download citation
DOI: https://doi.org/10.1007/978-3-319-58634-2_48
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-58633-5
Online ISBN: 978-3-319-58634-2
eBook Packages: Computer ScienceComputer Science (R0)