Category: Technology

Asset Administration Shell in practice

What is an Asset Administration Shell?

Industry 4.0 promises more efficient and sustainable manufacturing processes through digitalization. The foundation for this is a seamless, automatic exchange of information between systems and products. This is where the Asset Administration Shell (AAS) comes into play.

An Asset Administration Shell is a vendor-independent standard for describing digital twins. Basically, it is the digital representation of an asset; either a physical product or a virtual object (e.g., documents or software).

The AAS defines the appearance of the asset in the digital world. It describes which information of a device is relevant for communication and how this information is presented. This means the AAS can provide all important data about the asset in a standardized and automated way.

Let us take a look at a practical application to understand the benefits of an AAS:

Use case: AAS as enabler for new services

As part of the ESCOM research project, CONTACT Software collaborates with GMN Paul Müller Industrie GmbH & Co. KG to implement AAS-based component services. The family-run company manufactures motor spindles which are installed by its customers as components in metalworking machine tools and then resold.

Before the project began, GMN had already developed a new sensor technology. It enables deep insights into the behavior of a spindle and provides information on overall operation of the spindle system. The company wants to use this data to offer new, product-related services:

  • Certified commissioning: Before GMN ships its spindles, the components are put through a defined test cycle on the company’s in-house test bench. GMN uses the data from this reference cycle to ensure that motor spindles are installed and commissioned correctly at the customer’s facility.
  • Predictive services: Using the IDEA-4S sensor microelectronics, customers shall be able to continuously record and analyze operating data that provide insights into the availability and operation of the spindles. If necessary, the data can be shared with GMN, for example, for problem analysis. This saves valuable time until the machine is back up and running. In the future, GMN will be able to offer smart predictive services like predictive maintenance.

About GMN Paul Müller Industrie GmbH

GMN Paul Müller Industrie GmbH & Co. KG is a family-owned mechanical engineering company based in Nuremberg, Germany. It produces high-precision ball bearings, machine spindles, freewheel clutches, non-contact seals, and electric drives that are used in various industries. The company manufactures most of these components individually for its customers on site and sells its products via a global sales network.

How do we realize the new services?

To provide such services, companies must be able to access and analyze the sensor data of their machines. Furthermore, machines (or their components) must be enabled to communicate independently with other assets and systems on the shopfloor.

For both tasks, GMN uses CONTACT Elements for IoT. The modular software not only helps the company to record, document and evaluate the reference and usage data of their spindles. It also includes functions that enable users to create, fill and manage the AAS for an asset.

Background

During the implementation of services based on spindle operating data, GMN benefits from the cooperation with a customer. This company installs the spindles in processing machines that GMN uses to manufacture its own products. As a result, GMN can gather the operating data in-house and use it to improve the next generation of spindles.

What role does the AAS play?

For the components to exchange information in a standardized form, an AAS must be created for the spindle at item and serial number level. This is also done using CONTACT Elements for IoT. The new services are mapped in a so-called AAS metamodel. It serves as a “link” to the service offers.

AAS and submodels

The AAS of an Industry 4.0 component consists of one or more submodels that each contain a structured set of characteristics. These submodels are defined by the Industrial Digital Twin Association (IDTA), an initiative in which 113 organizations from research, industry and software (including CONTACT Software) collaborate to define AAS standards. A list of all currently published submodels is available at https://industrialdigitaltwin.org/en/content-hub/submodels.

In CONTACT Elements for IoT, GMN can populate the AAS submodels with little effort. The platform includes a widget developed as a prototype during the research project. It provides an overview of which submodels currently exist for the asset and which are available but not yet created. Through the frontend, users can jump directly to the REST node server and upload or download submodels (in AAS/JSON format).

During the implementation of data-driven service offerings, GMN focuses on the submodels

  • Time Series Data (e.g., semantic information about time series data)
  • Digital Nameplate (e. g., information about the product, the manufacturer’s name, as well as product name and family),
  • Contact Information (standardized metadata of an asset) and
  • Carbon Footprint (information about the carbon footprint of an asset)

Filling the submodels is simple. This is demonstrated by the module Time Series Data. During the reference run of a motor spindle on the in-house test bench, the time series data is recorded by CONTACT Elements for IoT. The platform automatically transfers this data to the AAS submodel of the motor spindle being tested. At the same time, the platform creates a document for the reference run. This allows GMN to track its validity at any time and make it available to external stakeholders.

New services on the horizon

Using Asset Administration Shells allows GMN to realize its service ideas. This currently concerns the commissioning service and automated quality assurance services.

By analyzing the spindle data, the company can identify outliers in the operating data and make suitable recommendations for action. For example, different vibration velocities indicate an incorrect installation of the spindle in the machine or that time-varying processes are occurring. The analysis can also be used to provide insights about anomalies in operating behavior.

Dashboards in CONTACT Elements for IoT increase transparency. They provide GMN with all relevant information about the spindles on the test bench, from 3D models to status data. This overview is extremely valuable, particularly for quality management.

An AAS in our software Elements for IoT.

Summarized

Asset Administration Shells are vendor-independent standards for describing digital twins. They are among the most important levers for implementing new Industry 4.0 business models, as they enable communication between assets, systems, and organizations. The example of GMN demonstrates the practical benefits of the AAS. The company uses it to design new, product-related services based on information from the AAS of its products. GMN can successively improve these services by continuously analyzing operating data in CONTACT Elements for IoT.

Asset Administration Shell as a catalyst of Industry 4.0

“Country of poets and thinkers” or ” Country of ideas”: Germany is proud of its writers, scientists, researchers, and engineers. And of its meticulous bureaucracy, which aims for absolute precision in statements or indications. Combined, this often results in awkward word creation when naming technical terms. A current example of this is the “Verwaltungsschale” (literally: administration shell), whose innovative potential and central relevance for Industry 4.0 are not immediately apparent.

What is an Asset Administration Shell?

“Verwaltungsschale” is not a dusty administrative authority, but the very German translation of the English term “Asset Administration Shell” (AAS). The AAS is a standardized complete digital description of an asset. An asset is basically anything that can be connected as part of an Industrie 4.0 solution (for example, plants, machines, products as well as their individual components). It contains all information and enables the exchange and interaction between different assets, systems, and organizations in a networked industry. Therefore, it is pretty much the opposite of a sluggish authority and currently the buzzword in digital transformation.

As with many new topics, definitions of AAS vary and are quite broad. From very specific like the Asset Administration Shell as an implementation of the digital twin for Industry 4.0 to the loose description of AAS as a data plug or integration plug for digital ecosystems.

I prefer the representation of the AAS as a metamodel for self-describing an asset. With this metamodel, further models can be generated to provide collected information. Through the use of software, these models are then “brought to life” and are made available to others via interfaces.

Concept and usage of the Asset Administration Shell

As a digital representation of an asset, the AAS provides information or functions related to a specific context through its submodels. Examples include digital nameplates, technical documents, the component or asset structure, simulation models, time series data, or sustainability-relevant information such as the carbon footprint. The information is generated along the various phases of the lifecycle, and it depends on the specific value network which asset information is of importance. Thus, submodels are initially created in certain lifecycle phases, specified and elaborated in subsequent phases, and enriched or updated with information in the further process. Thereby, the AAS refers to either a very generic (type) or a very concrete (instance) representation of an asset.

As assets change over time (as-defined, as-designed, as-ordered, as-built, as-maintained), so does the Asset Administration Shell. Thus, multiple AASs can exist for the same asset over the lifecycle. In order to utilize the information in the AAS within its value network, it needs to be accessible. Access is usually given via the Internet or via the cloud (repository-deployed AAS). In intelligent systems, the management shell can also be part of the asset itself (asset-deployed AAS).

Information can be exchanged in various ways. Either via files, so-called AASX files (AAS type 1), via a server-client interaction such as RestAPI (AAS type 2) or via peer-to-peer interaction (AAS type 3), in which the AASs communicate independently using the so-called I4.0 language and perform tasks cooperatively.

While type 1 and 2 take a passive role in the value network and are more likely to be used with repository-held AAS, type 3 describes an active participation in the value network and is more likely to be used with asset-held AAS running smart products.

Common standards connect!

No matter what type of Asset Administration Shell you choose: Important is that the recipient and the provider speak the same language. To achieve this, the exchange of concrete information must be standardized. Considering the amount of different industries, scenarios, assets, and functions, this is an immense number of submodels that need to be standardized. Organizations and associations such as the Industrial Digital Twin Association (IDTA), formed by research institutes, industrial companies, and software providers, are tackling this mammoth task. The rapidly growing number of members as well as the lively exchange at trade fairs and conferences among each other illustrate the potential for the industry. It is important not to leave SMEs behind, but to involve them in the standardization work in the best possible way.

Conclusion

The Asset Administration Shell is at the core of successful Industrie 4.0 scenarios. It enables manufacturer-independent interoperability and simplifies the integration of all types of assets into a collaborative value network. It increases efficiency within production processes by providing complete transparency of the real-time status of each asset. And it also offers a comprehensive security concept to protect the data. Within a very short time, the AAS has thus transformed from a theoretical construct to a real application in practice. Together with partners from research and industry, we are working within the ESCOM and Flex4Res research projects to make it usable on an industrial scale.

AAS in practice

In CONTACT Elements for IoT, you can create, manage and share asset administration shells. Our blog post ‘The asset administration shell in practice’ explains how companies benefit from this.


More cybersecurity using the password

Today is “change your password day” again. A well-intentioned
initiative for more IT security. Coming originally from the military context of the 1960s, the recommendation to change your password regularly can still be found in many corporate policies today. Modern guidelines such as the current BSI Basic Protection Compendium and the NIST Digital Identities Guidelines drop this requirement because there are more effective strategies to increase password security:

Password length over complexity

First of all, a strong password needs to be changed only if there is a suspicion that it has been revealed.

Today, attackers can try out billions of passwords within a very short time using automated systems. Especially if these systems are accessible via the network or have access to the password hashes and can therefore be effectively tried offline. The complexity of the password is therefore completely irrelevant if it is too short. Recommendations for length vary from 8 to at least 14 characters.  Advances in attack tools such as Hashcat, and faster, specialized password-guessing hardware, are driving these requirements ever higher.

Compliance policies today require individualized login credentials. This eliminates the risk a password is known to many people and thus the need to change it regularly. One long password for exactly one person for exactly one service. Pretty secure.

Passwords are no repeat parts

To be honest, haven’t you ever used the same or a very similar password for multiple services? You should get rid of this habit quickly because a successful attack on one service automatically leads to a successful attack on others. The use of already privately used passwords in a corporate environment is particularly critical.

Modern password policies ensure that passwords appearing in lists of captured passwords are rejected. The website haveibeenpwand, for example, indicates whether a password has been captured. Modern systems offer interfaces to check passwords in this way. In CONTACT Elements you can easily activate them:

from cdb.sig import connect
from cdb.authentication import check_pwned_password
connect(‘password_acceptable_hook’)(check_pwned_password)

Password manager instead of one-size-fits-all

Password repeating is bad, and so are short passwords. Users face the challenge of remembering a large number of long passwords in their heads. Writing it down on a piece of paper and hiding it under the keyboard or sticking it on the bulletin board is not a solution, because a camera can capture it.

It is better to use a password manager. It can create and manage long passwords and makes them easier to enter via copy and paste. Unfortunately, some companies, driven by the concern that a Trojan will intercept the passwords on the clipboard, block the copy and paste method in their applications, preventing the use of a password manager. However, in the case of a Trojan attack, this measure is usually ineffective and companies should instruct users to use a password manager to increase their IT security.

Beware of highwaymen and tricksters

Even the strongest password does not protect against attacks if it is intercepted. It’s often surprisingly easy to do. Connections without a minimum level of security like Transport Layer Security (TLS) are an open book for any attacker. Older network protocols such as Kerberos also offer numerous gateways. Ransomware exploits these to spread across the corporate network. As soon as an administrator logs on to a compromised computer, the attacker has the credentials, and shortly thereafter gold and silver tickets are created and the Windows domain is firmly in the attacker’s hands.

Here, too, security stands or falls with the password, because it is used in the calculation of the authentication tickets and, due to the symmetrical encryption, enables the attacker to calculate the password back from the ticket.

Increase security through multiple factors

One recommendation to get around the weaknesses of passwords is to include other factors. This works very well from a security perspective. A second factor significantly increases security in almost every case. In most cases, it is of secondary importance whether these are one-time passwords such as TANs via SMS, time-based codes such as Definition Time-based One-time Password (TOTP), or even simple confirmation emails with links.

The downside of second factors is the additional effort and the impact on usability. Helpdesk processes become more complicated, users need to be trained, and login processes often happen more slowly.

Single sign-on – both a curse and a blessing

Users love single sign-on (SSO), where you only have to enter a password and a second factor once to use numerous services. This minimizes the effort enormously – but also for the attacker. Particularly if access depends on a weak password only. A central login system also solves many problems for compliance when users are blocked or reports are generated. The costs for user administration are also reduced.

Single sign-on turns the “one password per service” argument above on its head. Again, only one password stands between the attacker and your system. If the attacker knows the password, he has access. And then the single sign-on system opens all doors for the attacker.

Detect phishing

Even stronger mechanisms such as TOTP or hardware key generators do not protect if the password and access code are entered on a fake website. This practice is known as phishing. The solution, on the other hand, is channel or token binding and links (binds) the desired access to the channel through which the access is requested. This means that a token is only accepted for access to device A but not to device B of the attacker. This form of multi-factor authentication is very secure and easy to use with modern hardware or cell phones. For enterprise IT, integration with common platforms is relevant here. Windows Hello, Apple and Android support the FIDO2 / WebAuthn standard specified by the FIDO Alliance to detect phishing and make single sign-on secure.

Passwords are obsolete!?

Starting from the WebAuthn standard, there is a new initiative since 2022 with passkeys – driven by Apple, Microsoft and Google – to banish passwords from applications and single sign-on. You can change your password to a passkey today if your device supports it and use 2024’s “Change your Password Day” to delete your password and never have to use it again.

More Information on Cybersecurity

Learn everything you need to know about building a reliable IT security architecture for protection against cyberattacks in our free white paper “IT Security for Enterprises”.