Security of information in intelligent manufacturing enterprises. An analysis of case studies of EU enterprises

Summary

Currently, the market value of an intelligent enterprise depends on the value of the information processed by it, used in research and development as well as the or-ganisation of production process. Illegally obtaining information regarding R&D and technology allows competitors to save vast financial resources and additionally achieve a leading position faster, hence why appropriate protection and information management are of such high significance to intelligent enterprises. The scope of this article is to present results of research concerning the security of information in intel-ligent enterprises based in Poland, Holland and Italy. The conclusions drawn from the conducted research may be interesting both to academics and practitioners managing intelligent manufacturing enterprises in the global economic structure.

Keywords: intelligent manufacturing enterprises, MIS, Information Security Introduction

In an intelligent manufacturing enterprise, high indicators of economic growth and a high mar-ket position are achieved mainly through a skilful use of knowledge and information linked to re-search and development activities, as well as the organisation of production. This is why accumu-lated knowledge included in patent descriptions, projects, research results, description of production technology, etc., may be illegally obtained by the competition in a given industry in order to save vast financial resources that would have to be spent on research and achieve the leading position earlier and at a lower cost. Research conducted in over a half of the most innovative French enter-prises has shown that 40% of them had their products counterfeited and 20% were victims of indus-trial espionage [1]. These threats are not just a contemporary issue, history notes. Celts took over Roman road paving technology, Persians stole Chinese secrets of silk production and Marco Polo is nowadays seen as the biggest industrial spy in history. Not much has changed since then and nowa-days the most frequently stolen information is: detailed data concerning customer relations, R&D results, strategic enterprise development plans, information concerning production technology and software source codes. Literature study shows that it is electronic information that is most at risk, and not information in a paper or verbal form [2]. The result of information theft is the loss of goodwill or reputation, the loss of competitive advantage in the area of provided services or products and the loss of economic benefits resulting from the technology developed to provide services and products [2]. Respondents point out that the stolen information is usually adapted in as little as 12 months [2].

According to the author, in the times of economy based on knowledge and in the face of global competition, introducing an effective system that can manage information security and minimise threats to information resources is one of the biggest problems in contemporary intelligent

manu-The article stems from an attempt to describe the sources of threats linked to intercepting im-portant information saved in a digital format in intelligent manufacturing enterprises and to also describe how the enterprises try to secure information. The aim of the article is to identify the threats to information security in intelligent manufacturing enterprises and indicate the ways to neutralise them . Research problem can be formulated as a question:

What are the most important internal and external risks linked to the theft of sensitive infor-mation saved in a digital format in intelligent manufacturing enterprises that can be crucial to their competitive advantage?

In order to find the answer to the research problem and achieve the aim, the author conducted qualitative research through the multiple case study analysis on the sample of three enterprises – from Poland, Holland and Italy, which are amongst the leading companies in their respective indus-tries.

1. Security of information in intelligent manufacturing enterprises

The term “intelligent enterprise” was popularised by J.B. Quinn in his publication Intelligent Enterprise, stating that intelligence is the key resource in production and services [3, 354]: “With rare exceptions, the economic and producing power of the firm lies more in its intellectual and ser-vice capabilities than its hard assets – land, plant and equipment”.

Currently, we can point to many attributes of intelligent organisations, such as the speed and flexibility of action, the ability to observe the environment, detect market signals early on, swiftly react to changes in the environment, to create and develop knowledge, quickly implement new so-lutions based on knowledge, manage the obtained knowledge, and achieve economic benefits on the basis of the obtained knowledge [4].

Information security means that information which is important from a legal and business point of view is protected against unauthorised access, destruction or modification and it is always avail-able to the authorised person. Information management, in turn, is a defined set of behaviours, which indicates how enterprises obtain and distribute knowledge, and how they use it [5]. The ISO/IEC 27002:2005 Standard “Information technology – Security techniques – Code of Practice for Infor-mation Security Management” is a set of practices used to manage inforInfor-mation security and defines information as an asset highly valuable to the organisation, which for this reason should be protected [6]. Most of all, information management should include monitoring how the information is ob-tained, produced, processed and distributed, as well as monitoring the information “pathway” within the enterprise structure and raising awareness amongst the employees through training in infor-mation security [7, 71–85]. While developing an inforinfor-mation security management system in intel-ligent enterprises, it is very important to include it in the processes taking place in the enterprise, incorporate it in the general management structure and integrate it.

It is important to point out that an effective information security system in intelligent enterprises should apply to information systems in a considered and well-organised way, being a purposeful and financially justifiable security investment. In modern production enterprises, we can distinguish two groups of IT systems, which support enterprises at different stages of the process of production, supply, sale and service:

1. CIM (Computer Integrated Manufacturing) is an integrated use of computers, machinery, transport equipment and others in all the activities of a manufacturing enterprise, linked to produc-tion, as it is broadly understood [8, 202]. CIM construction environment is based on three main systems:

a. CAD (Computer Aided Design) – design systems, understood as computer systems sup-porting construction work;

b. CAM (Computer Aided Manufacturing) – manufacturing systems, understood as computer aided systems of operating machinery and technological appliances;

c. ERP (Enterprise Resource Planning) – systems for production planning and control. These systems can be complemented with various additional systems, such as:

a. CAQ (Computer Aided Quality Control);

b. CAT (Computer Aided Testing) – computer aided testing of the quality of production, ma-chinery, appliances and tools;

c. CAE (Computer Aided Engineering);

d. CAP (Computer Aided Planning) – computer aided preparation and production planning; e. CAPP (Computer Aided Process Planning).

2. CRM (Customer Relationship Management)

3. CAL (Computer Aided Logistics) – computer systems supporting logistics include the functions of planning, control, IT coordination, as well as simulation of processes. An important part of functionalities responsible for logistic support is included in ERP systems. ERP systems, however, can be complemented with different additional systems, such as:

a. SRM – Supply Relationship Management, b. SCM – Supply Chain Management, c. WMS – Warehouse Management Systems.

In the processes of the flow of goods and information between cooperating organisations, a par-ticularly important role is played by the standards of electronic data interchange (EDI), bar codes and radio frequency identification (RFID).

4. BI (Business Intelligence).

The IT systems presented above are important tools in intelligent manufacturing enterprises, however it needs to be stressed that in information security systems, other additional elements need to be considered: operating systems, databases, and office productivity software office suites con-taining spreadsheets, word processing and other specialised applications necessary for managing an intelligent enterprise.

A coherent information security system should protect the information collected, processed and shared in the above mentioned IT systems, so that they are protected against unauthorised access, destruction or modification by unauthorised persons.

2. Research method

In his research, the author used the multiple case study method, which – according to R. Yin [9, 2003] – is the most appropriate method for testing a theory, but also a method allowing for the completion of a theory [10, 532–550]. Moreover, the multiple case study method often provides useful in-depth conclusions that help better understand the behaviour of enterprises [11]. The objects

The researched enterprises were classified as intelligent enterprises as they met three qualities of intelligent enterprises, as defined by Łobejko [4]. These enterprises face the challenge of inden-tifying and eliminating threats linked to theft of sensitive information. The scope of the case study is to broaden the knowledge of intelligent manufacturing enterprises, especially a better understand-ing of implementunderstand-ing information security systems in this type of enterprises. The author uses the method as it allows for developing the existing theory and provides explanations for the phenome-non of securing sensitive information which constitutes an important asset in intelligent enterprises. The choice of case study method as the research method is mostly based on the following two cir-cumstances:

1) An early stage of knowledge development in the sphere of research on information security in intelligent enterprises.

2) A lack of complete understanding of the issue of sensitive information theft in intelligent enterprises.

In this case study, the author poses the following research question:

What are the most important internal and external risks linked to the theft of sensitive infor-mation saved in a digital format in intelligent manufacturing enterprises that can be crucial to their competitive advantage?

The research was conducted by the author in person through the method of direct interviews [12]. The respondents were company directors and general directors. It was partly based on a struc-tured interview script [13], which had been prepared on the basis of literature analysis and pilot analytical workshops with enterprise owners. Importantly, using this method of data collection al-lowed for obtaining full answers to the questions and had a positive impact on their quality.

3. Research results

Table 1 presents research results based on the multiple study method in three intelligent enter-prises located in Poland, Holland and Italy. Both the indicated sources of threats and the type of information that was stolen most frequently have been prioritised according to the information ob-tained from the respondents.

Table 1. Research results Company

profile

Electronic industry. Medium-sized enterprise, according

to the EU definition*

Chemical industry. Medium-sized enterprise ac-cording to the EU definition*

Interior design in-dustry. Medium-sized en-terprise according to

the EU definition*

Location Poland Holland Italy

Identified qualities of an intelli-gent enter-prise

1. Ability to adapt to changes taking place in the environment. 2. Ability to manage the possessed

knowledge.

3. Ability to create and develop knowledge.

1. Ability to quickly imple-ment new solutions based on knowledge.

2. Ability to observe the envi-ronment.

3. Achieving economic bene-fits on the basis of the pos-sessed knowledge. 4. Ability to detect market

sig-1. Ability to detect market signals early. 2. Ability to create and develop knowledge faster than the competi-tors.

Company profile

Electronic industry. Medium-sized enterprise, according

to the EU definition*

Chemical industry. Medium-sized enterprise ac-cording to the EU definition*

Interior design in-dustry. Medium-sized en-terprise according to

the EU definition*

Location Poland Holland Italy

3. Ability to manage possessed the knowledge. 4. Achieving

eco-nomic benefits 5. on the basis of the

possessed knowledge. Indicated threats linked to the theft of im-portant in-formation

1. Employees who left the com-pany.

2. Employees working for the com-pany.

3. Local and international competi-tors.

4. Organised criminal groups trying to

5. commit extortion.

1. Employees who left the company.

2. Employees working for the company.

3. Local and international competitors.

4. Organised criminal groups trying to

5. commit extortion. 6. Industrial espionage.

1. Employees who left the company. 2. Employees work-ing for the com-pany.

3. Local and inter-national competi-tors.

4. Organised crimi-nal groups trying to commit extor-tion. Type of in-formation stolen most often

1. Source codes of files included in computer programmes supporting CAD construction work contain-ing projects, SolidWorks durcontain-ing prototyping with the use of 3D printers.

2. Trade agreements, price lists and description of marketing activi-ties.

3. Source codes of files included in computer programmes supporting machine operating systems, e.g. CNC tools.

4. Client and supplier database from CRM systems.

5. Financial budgets reflecting the assumed strategy included in spreadsheets

1. Source codes of files con-taining solutions to specific technological design prob-lems in applications such as Matlab and Simulink, 2. Trade agreements, price

lists, and description of marketing activities. 3. Information concerning the

character of the organisa-tion, i.e. BOM, production schedule, numeric infor-mation allowing the com-pany for effective resource planning according to the MRP II concept. Infor-mation comes from an ERP system.

4. Client and supplier data-base from CRM systems.

1. Source codes of files from com-puter systems supporting CAD construction work containing trade agreements, price lists, and de-scription of mar-keting activities. 2. Information

con-cerning salary structure from the HR and payroll system.

3. Client and sup-plier database from CRM sys-tems.

or the annual balance sheet total does not exceed EUR 43mln. The conditions of classifying an entrepreneur to a given category are subject to conjunction.

Source: own elaboration.

Depending on the type of business activity, company size and the type of cooperative relations (employee, co-operative, client), intelligent manufacturing enterprises identify similar sources of threat linked to information security. To synthesize research results, I can indicate the following major threats:

1. Employees who left the company. In this case the respondents indicated three types of em-ployee behaviour:

a. Employees whose expectations towards the employee or ambitions were not satisfied. Their intention is to use information and knowledge that they gained and used professionally by offering it to an interested party, both to benefit financially and to expose their employer to potential losses. b. Employees who were hired by the competition to steal information and knowledge that they gained and used.

c. Employees who, climbing the career ladder, identify a potential new employer (usually a competitor), offering them a higher position and salary, and collect information that could poten-tially be of interest to the new employer.

2. Employees who still work for the company.

3. Competitors who specialise in a similar business activity.

4. Organised criminal groups trying to commit extortion. The respondents worry that they might be blackmailed by organised criminal groups who possess information stolen from the client’s resources.

5. Industrial spies working for their clients.

I need to stress that in all the studied enterprises, the concerns regarding the sources of infor-mation theft and knowledge are similar. As far as the type of inforinfor-mation is concerned, the two most often stolen were:

1. Source codes of files included in computer systems supporting construction work contain-ing projects that constitute intellectual property. The respondents indicated that source files included projects completed in applications such as AutoCad, Simulink, Corel Draw, SolidWorks.

2. Trade agreements, price lists, and description of marketing activities.

Other most commonly stolen information is linked to the organisation and technology of pro-duction that constitute a competitive advantage, client and supplier databases and information con-cerning the financial strategy of the enterprise and the structure of costs included in the budgets and contracts with the employees.

The respondents pointed out that a crucial issue in information security is the synergy between implementing coherent procedures as part of the information security system and the generally un-derstood IT infrastructure, constituting connecting the equipment and computer hardware to the software. Companies are exposed to many threats in the area because of a high level of complexity, the constantly changing specialised software supporting production management, and the changing versions of office suites.

In the context of obtaining knowledge through electronic means, we can speak about external security (resistance to external hacking attacks and externally applied malware, etc), and internal security (resistance to potential internal attacks carried out by the employees, hackers and internally applied malware, etc) [14, 137–144]. When it comes to the sources of data leak and the methods of

obtaining knowledge saved in electronic files, the studied enterprises indicated the following areas: obtaining electronic files, printing, copying the contents (copy and paste), print screen (PrtScr key, programmes performing print screen and/or filming the activities on the screen, remote desktop sharing). In-depth analytical workshops with the respondents indicated that currently IT systems are one of the important tools in securing information.

Selected Security Systems related to documents is a class of IT systems whose function is to securely protect a wide group of electronic files and IT resources against theft and use by unauthor-ised persons. During the research, two out of three enterprises were at a stage of selecting an appro-priate DSS system that could protect the files containing source codes from computer systems sup-porting construction work, as well as trade agreements, price lists and the description of marketing activities contained in files that make part of office suites.

4. Conclusions

The research problem in this article was the question of which threats linked to the theft of digitally saved information crucial to achieving competitive advantage in intelligent manufacturing enterprises are most important. The conducted research allowed to formulate the following answer: the most important threats linked to the risk of losing vital information shaping the enterprise’s competitive advantage – and hence the risk of losing the competitive advantage in a relatively short time – are external attacks, data theft from inside the enterprise and sharing sensitive files outside the organisation. The aim of the article was to indentify the threats to the security of information in intelligent enterprises. The research has shown that the threat comes in the first place from the em-ployees who had left the company and the emem-ployees who still work in the company [15, 1-13]. In the second place, the threat comes from competitive companies specialising in a similar type of business activity. In the third place, the threat comes from organised criminal groups trying to com-mit extortion. People attempting to steal information are mainly interested in the results of R&D work included in files that contain source codes from computer systems supporting construction work containing projects that constitute intellectual property.

Accumulated knowledge included in patent descriptions, projects, research results, description of manufacturing technology etc, can be illegally obtained in order to save vast financial resources that competitive companies from a given industry would have to spend on research, so that they can achieve the leading position earlier and at a lower cost. The second most important were files con-taining trade agreements, price lists and descriptions of marketing activities indicating the enter-prise’s development strategy. Amongst the studied organisations, all the enterprises declared that they were aware of the threats linked to information security; however the level of determination to invest in organisational and IT security that would allow for the protection of information was not high in Polish and Italian enterprises. Polish and Italian enterprises were in the early stages of cre-ating a coherent information security system, for instance by considering the purchase of a DSS IT system; the Dutch company, meanwhile, already owned a DSS information security system imple-mented a few years earlier and as part of it had impleimple-mented organisational procedures and config-ured IT systems, including DSS.

The author hopes that the research results presented in this article can help achieve two goals – they will indicate important sources of threats linked to the theft of sensitive information saved in

information security amongst the managers of intelligent manufacturing enterprises in Europe that aspire to fight for global markets.

Bibliography

[1] Martinet B., Marti Y.M., Wywiad gospodarczy. Pozyskanie i ochrona informacji, PWE, War-szawa 1999.

[2] Trends in Proprietary Information Loss. Survey Report. June 2007. The National Counterintel-ligence Executive.

[3] Quinn J.B., Intelligent Enterprise, Free Press, New York 1992.

[4] Łobejko S., Trendy rozwojowe inteligentnych organizacji w globalnej organizacji. (Study pre-pared by EMAR Research Marketing), 2009, http://www.przedsiebiorczosc.uw.edu.pl/up-loads/images/2010_Ekspertyza%20-%20Inteligentne%20organizacje.pdf,

accessed: 30.12.2015.

[5] Prusak L., Davenport T.H., Information Ecology. Mastering the Information and Knowledge Environment, Oxford University, New York 1997.

[6] Sun J., Chen Y., Intelligent Enterprise Information Security Architecture Based on Service Ori-ented Architecture, „Future Information Technology and Management Engineering” 2008, FITME '08.

[7] Sobczak J., Znaczenie informacji dla bezpiecze
stwa przedsibiorstwa, „Securitologia” 2014, no 2.

[8] Januszewski A., Funkcjonalno informatycznych systemów zarzdzania, t. 1, Wydawnictwo Naukowe PWN, Warszawa 2011.

[9] Yin R., Case Study Research, Design and Methods, ed. 3, Sage Publications, Newbury Park 2003.

[10] Eisenhardt K.M., Building Theories from Case Study Research, „Academy of Management Review” 1989, vol. 14, no. 4.

[11] Reiner G., Demeter K., Poiger M., Jenei I., The Internationalisation Process in Companies Located at the Borders of Emerging and Developed Countries, „International Journal of Oper-ations and Production Management” 2008, no. 28(10).

[12] Maxwell J.A., Qualitative Research Design: An Interactive Approach, ed. 2, SAGE Publica-tions, Thousand Oaks, CA 2005.

[13] Nikodemska-Wołowik A.M., Klucz do zrozumienia nabywcy – jakociowe badania marketin-gowe, Verde, Warszawa 2008.

[14] liwiski R., Systemy ochrony danych w nowoczesnej firmie, in: Bezpiecze
stwo współcze-snego wiata. Informatyka, technika, gospodarka, ed. Z. Dziemianko, Wydawnictwo Wyszej Szkoły Handlu i Usług, Pozna 2011.

[15] Centrum Bada Opinii Społecznej, Etyka Zawodowa – Opinie Społeczne i Faktyczne Zacho-wania Pracowników, Warszawa 2017.

BEZPIECZEēSTWO INFORMACJI W INTELIGENTNYCH PRZEDSIĉBIORSTWACH PRODUKCYJNYCH.

ANALIZA STUDIÓW PRZYPADKÓW WĝRÓD PRZEDSIĉBIORSTW Z UE Streszczenie

W organizacji inteligentnej wysokie wskaniki wzrostu ekonomicznego oraz wy-soka pozycja rynkowa s osigane dziki umiejtnemu wykorzystaniu wiedzy i infor-macji. Nielegalne uzyskiwanie informacji dotyczcych bada
i rozwoju oraz techno-logii pozwala konkurentom oszczdza ogromne zasoby finansowe i dodatkowo szybciej zdobywa pozycj lidera, dlatego odpowiednie zarzdzanie ochron i infor-macj ma tak due znaczenie dla inteligentnych przedsibiorstw. Celem artykułu jest przedstawienie wyników bada
dotyczcych bezpiecze
stwa informacji w inteligent-nych przedsibiorstwach produkcyjinteligent-nych z Polski, Holandii i Włoch. Wnioski płynce z przeprowadzonych bada
mog zainteresowa zarówno naukowców, jak i praktyków zarzdzajcych inteligentnymi przedsibiorstwami produkcyjnymi w globalnej struk-turze gospodarczej.

Słowa kluczowe: produkcja, przedsibiorstwa inteligentne, MIS, bezpieczestwo informacji Bartosz Wachnik

Department of Production Engineering, Institute of Productive Systems Organisation Warsaw University of Technology