Architectural approaches for the integration of safety and security in I4.0

Abstract

The field of industrial automation is rapidly evolving, with Industry 4.0 (I4.0) introducing increasing levels of connectivity, complexity, and cyber-physical integration. A new challenge faced by modern factories is ensuring both safety and security in a landscape wherean Operational Technology (OT) and Information Technology (IT) converge and intertwine, potentially exposing critical systems to new security vulnerabilities and safety risks. Traditionally, safety is a well-developed domain, while security is an emerging one in industrial sectors and is often treated as an afterthought, leading to weak security posture or security issues whose fixes are costly during system operation.That is why safety and security have to be systematically integrated throughout the entire system lifecycle, especially the earlier phases, encompassing requirements definition, system design, implementation, and operational phases. Standardization and regulation play a pivotal role in ensuring both safety and security. Critical infrastructures are required to comply with numerous safety and security standards, and this compliance landscape is becoming increasingly complex with the introduction of new security-focused regulations such as the Cyber Resilience Act and the EU AI Act. These compliance activities are to a large extent manual and therefore time-consuming, and they are further complicated by the existing knowledge gap among safety and security specialists. Consequently, there is a growing demand for automated, computer-assisted safety and security verification and validation. Achieving such automation, however, requires rigorous modelling and is particularly challenging given the inherently textual and often ambiguous nature of standards.This thesis addresses the discussed challenges of integrating safety and security into I4.0 automation system architectures during design phase, with an emphasis on compliance with relevant security standards while considering safety. We present a formal methodology for modeling system architecture, along with safety and security requirements from different standards and their interrelations. The modelling approach relies on ontology and knowledge graph technologies, which enable the consolidation of all safety- and security-related information within a unified knowledge base. This integration facilitates advanced reasoning capabilities and the extraction of new insights from the modelled information enabling safety and security verification and validation during design phase.To have a standardized and reusable framework for modeling system architecture, the modelling itself is done based on IEC 42010 which is an international standard for architecture descriptions of systems and software.Additionally, we leverage emerging technologies, specifically Large Language Models (LLMs), to further enhance the effectiveness and usability of our methodology. The goal is to reduce the complexity of modelling technologies and make the approach usable by a broader range of users, including those who may not be safety or security specialists. Furthermore, the concept of digital twins and the underlying potentials are considered and explored. Specifically the Asset Administration Shell model is explored as a new standardized digital representation of assets providing all relevant information and functions in a standardized, machine-readable format, facilitating data exchange and communication between different systems and companies throughout an asset's lifecycle.Our results through use case studies and prototyping demonstrate that embedding safety and security by design into system design leads to measurable improvements in safety and security, compared to prior siloed approaches. This integrative approach promotes coordinated stakeholder collaboration during the design phase, helping to prevent safety and security issues that would be more costly and difficult to address in later development stages.The insights gained extend beyond the immediate industrial setting, offering a blueprint for secure digitalization in other cyber-physical domains. Broadly, this work contributes to a safer and more secure industrial future, where digital innovation is balanced by rigorous protective measures—thus accelerating the trustworthy adoption of I4.0 practices across diverse sectors.