Skip to main content

7.1 Identity & Access

Security in a manufacturing environment is not just about preventing external hackers; it is about preventing an untrained operator from accidentally crashing a million-dollar machine. Identity management serves as the digital safety rail, ensuring that every user has exactly the permissions they need to do their job—nothing more, nothing less. Treat identity as a critical process parameter, not an IT administrative burden.

Role-Based Access Control (RBAC)

Stop managing permissions user-by-user. It is unscalable and dangerous. Define strict "Roles" that mirror physical job functions and map users to these groups.

The "Zero-Generic" Rule

  • Strict Prohibition: Never use generic accounts like Line1_Admin or Operator_3.
  • Reasoning: If Line1_Admin changes a safety limit, you have no way of knowing who actually pressed the button. Every action must be attributable to a named human.

Standard Manufacturing Roles

  • Operator (Read/Execute): Can start jobs, view SOPs, and record Pass/Fail. Cannot change recipes or skip steps.
  • Line Lead (Override): Can release "Held" lots and re-assign tasks.
  • Process Engineer (Write): Can modify Limits, Recipes, and Bill of Operations.
  • Maintenance (Bypass): Can operate machine in "Manual Mode" for repair.

Access Logic

  • If User is in AD Group MES_Operators → Grant Level 1 Access.
  • If User leaves the company → Disable AD Account (Access revoked instantly across all systems).

Authentication & SSO (Single Sign-On)

On the shop floor, speed is the priority. If an operator has to type a complex password every 60 seconds, they will write it on a sticky note attached to the monitor.

Shop Floor Auth Strategy (Badge + PIN)

  • Mechanism: Integrate RFID Badge Readers (HID) with the MES.
  • Workflow:
    1. Tap: Operator taps badge.
    2. Verify: System reads Card ID -> Queries Active Directory -> Logs User in.
    3. Timeout: Auto-logout after 5 minutes of inactivity to prevent "piggybacking."

Office/Remote Auth Strategy (MFA)

  • Mechanism: Engineers accessing the system from outside the OT network must use Multi-Factor Authentication (MFA).
  • Rule: No remote access to PLC/SCADA control functions without VPN + MFA.

 Privileged Actions (The "Break Glass" Logic)

Some actions are necessary but dangerous (e.g., Changing a test limit, Force-Passing a failed unit). These require a "conscious act" of elevation.

Double-Authentication Protocol

Do not rely on the user simply being logged in. Force them to re-prove their identity for critical steps.

  • Trigger: User clicks "Modify Recipe."
  • System Challenge: Pop-up window: "Please Re-Enter Password / Tap Badge to Confirm."
  • Result: This stops accidental clicks and creates a distinct "Signature" event in the logs.

Supervisor Sign-Off

  • If a critical safety parameter is changed → Require "Four-Eyes" Principle.
  • Action: The Engineer makes the change, but the system leaves it in "Pending" state until a Manager logs in and approves it.

Audit Logs (The Black Box)

Compliance (FDA, IATF, ISO) requires proving who did what and when. The audit log is your legal defense.

Immutability Standard

  • Storage: Write-Once, Read-Many (WORM).
  • Integrity: Logs must be cryptographically signed or stored in a separate database that System Admins cannot modify.

The "Who, What, Where, Why" Format

A log entry saying "Value Changed" is useless. It must be verbose.

  • Bad Log: 10:00 AM - User: J.Doe - Update
  • Good Log: 10:00 AM - User: J.Doe - Changed [Oven_Temp] from [240C] to [245C]. Reason: [New Profile A1]. Station: [Oven-01] 

Pro-Tip: Create an "Alerting Rule" on the Audit Log. If a specific critical parameter (e.g., "Sterilization Time") is changed, trigger an immediate email to the Quality Director. Don't wait for the monthly audit to find out.

Final Checklist

Category

Metric / Control

Threshold / Rule

Identity

Attribution

100% of actions linked to a unique Named User

RBAC

Granularity

Users mapped to AD Groups, not local DB permissions

Auth

Friction

RFID/Badge Login enabled for Shop Floor terminals

Security

Timeout

Auto-logout set to < 10 mins on shared terminals

Risk

Elevation

Critical changes require Double-Auth (Re-entry)

Audit

Retention

Logs kept for Product Lifetime + X Years

Compliance

Traceability

Audit Log captures "Old Value" + "New Value"

Back to top