Skip to main content

IT Availability Risks in Smart Factory Networks – Analyzing the Effects of IT Threats on Production Processes Using Petri Nets


In manufacturing, concepts like the Internet of Things or Cyber-physical Systems accelerate the development from traditional production facilities towards smart factories. Thereby, emerging digital technologies increasingly connect information networks with production processes, forming complex smart factory networks (SFNs). Due to their reliance on information flows and the high degree of cross-linking, SFNs are, in particular, vulnerable to IT availability risks caused by attacks and errors. Against this backdrop, we present a modelling approach for analyzing the effects of IT threats on production processes. Based on Petri Nets, we provide modular SFN components for modelling SFN architectures and for simulating stochastic attack and error propagation. With this, we support the analysis and comparison of different SFN architectures regarding spreading effects, availability of information and production components, and associated effects on productivity. Our approach enables and serves as a foundation for decision support on SFN layouts from a risk perspective and the derivation of IT security mitigation measures in both research and practice. We evaluate our artefact by implementing and applying a software prototype in artificial and real-life settings.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Data Availability

The datasets generated and analysed during the current study are available from the corresponding author on reasonable request.

Code Availability

The software prototype used during the current study is available in a public repository (; GitHub upon acceptance).


  1. [GitHub upon acceptance]


  • van der Aalst, W.M.P. (1993): Interval timed coloured petri nets and their analysis. In: 1993 Intl Conf on Application and Theory of Petri Nets, S. 453–472.

  • van der Aalst, W. M. P. (2006). Matching observed behavior and modeled behavior: An approach based on Petri nets and integer programming. Decision Support Systems, 42(3), 1843–1859.

  • Acatech (2013). Recommendations for implementing the strategic initiative INDUSTRIE 4.0. Final report of the Industrie 4.0 Working Group. Accessible under: Accessed 28 Jan 2022.

  • Albert, R., Jeong, H., & Barabasi, A.-L. (2000). Error and attack tolerance of complex networks. Nature, 406(6794), 378–382.

  • Amin, S., Schwartz, G. A., & Hussain, A. (2013). In quest of benchmarking security risks to cyber-physical systems. IEEE Network, 27(1), 19–24.

  • Amiri, Amin., Cavusoglu, Hasan., Benbasat, Izak. (2014). When is IT Unavailability a Strategic Risk?: A Study in the Context of Cloud Computing. In: ICIS.

  • Arns, M., Fischer, M., Kemper, P., & Tepper, C. (2002). Supply chain modelling and its analytical evaluation. Journal of the Operational Research Society, 53(8), 885–894.

  • Arshad, N., Heimbigner, D., & Wolf, A. L. (2005). Dealing with failures during failure recovery of distributed systems. ACM SIGSOFT Notes, 30(4), 1.

  • Ash, J., & Newth, D. (2007). Optimizing complex networks for resilience against cascading failure. Physica A: Statistical Mechanics and its Applications, 380, 673–683.

  • Ashelm, M., Jansen, J., Smolka, K.M. (2018). Cyberkriminelle erpressen Krauss Maffei. Frankfurter Allgemeine Zeitung. Frankfurt a. M. Accessible under: Accessed 28 Jan 2022.

  • Atamli, A. W., Martin, A., (2014) Threat-Based Security Analysis for the Internet of Things. In: 2014 Intl Workshop on Secure IoT, S. 35–43.

  • Barber, K. D., Dewhurst, F. W., Burns, R. L. D. H., & Rogers, J. B. B. (2003). Business-process modelling and simulation for manufacturing management. Business Process Management Journal, 9(4), 527–542.

  • Beese, J., Haki, M. K., Aier, S., & Winter, R. (2019). Simulation-based research in information systems. Business and Information Systems Engineering, 61(4), 503–521.

  • Berger, S., Häckel, B., & Häfner, L. (2021). Organizing self-organizing systems: A terminology, taxonomy, and reference model for entities in cyber-physical production systems. Information Systems Frontiers, 23(2), 391–414.

  • Billington, J. (1988). Extending coloured petri nets (University of Cambridge, computer laboratory, UCAM-CL-TR-148). Accessible under: Accessed 28 Jan 2022.

  • Boucher, T. O., Jafari, M. A., & Meredith, G. A. (1989). Petri net control of an automated manufacturing cell. Computers & Industrial Engineering, 17(1–4), 459–463.

  • Brettel, M., Friederichsen, N., Keller, M., & Rosenberg, M. (2014). How virtualization, decentralization and network building change the manufacturing landscape: An industry 4.0 perspective. Intl Journal of Information & Communication Engineering, 8(1), 1–8.

  • Broy, M.; Cengarle, M. V.; Geisberger, E. (2012): Cyber-Physical Systems: Imminent Challenges. In: Radu Calinescu and David Garlan (Hg.): Large-scale complex IT systems. Development, operation and management, Bd. 7539. Springer, S. 1–28.

  • van Brussel, H., Peng, Y., & Valckenaers, P. (1993). Modelling flexible manufacturing systems based on Petri nets. CIRP Annals, 42(1), 479–484.

  • Buldyrev, S. V., Parshani, R., Paul, G., Stanley, H. E., & Havlin, S. (2010). Catastrophic cascade of failures in interdependent networks. Nature, 464(7291), 1025–1028.

  • Cardenas, A. A.; Amin, S.; Sastry, S. (2008): Secure Control: Towards Survivable Cyber-Physical Systems. In: 2008 Intl Conference on Distributed Computing Systems, S. 495–500.

  • Cardenas, A. A.; Amin, S..; Sinopoli, B..; Giani, A.; Perrig, A.; Sastry, S. (2009): Challenges for Securing Cyber Physical Systems. In: Workshop on Future Directions in Cyber-Physical Systems Securiy, S. 1–4.

  • Christensen, S., & Hansen, N. D. (1993). Coloured Petri nets extended with place capacities, test arcs and inhibitor arcs. In M. A. Marsan (Ed.), Application and theory of Petri. Springer.

    Google Scholar 

  • Culot, G., Nassimbeni, G., Orzes, G., & Sartor, M. (2020). Behind the definition of industry 4.0: Analysis and open questions. International Journal of Production Economics, 226, 107617.

  • Danziger, M., Shekhtman, L., Bashan, A., Berezin, Y., & Havlin, S. (2016). Vulnerability of interdependent networks and networks of networks. In Garas (Ed.), Interconnected networks (pp. 79–99). Springer.

    Chapter  Google Scholar 

  • Dempsey, K.; Chawla, N. S.; Johnson, A.; Johnston, R.; Jones, A. C.; Orebaugh, A. et al. (2011): Information Security Continuous Monitoring for Federal information Systems and Organizations. National Institute of Standards and Technology. U.S. Department of Commerce.

  • Desel, J., Esparza, J. (1995). Free choice Petri nets. In: Cambridge tracts in theoretical computer science.

  • van Do, L., Fillatre, L., Nikiforov, I., & Willett, P. (2017). Security of SCADA systems against cyber–physical attacks. IEEE Aerospace and Electronic Systems Magazine, 32(5), 28–45.

  • Dotoli, M.; Fanti, M. P. (2005) A Generalized Stochastic Petri Net Model for Management of Distributed Manufacturing Systems. In: 2005 44th IEEE Conf on Decision & Control, S. 2125–2130.

  • D'Souza, K. A., & Khator, S. K. (1994). A survey of Petri net applications in modeling controls for automated manufacturing systems. Computers in Industry, 24(1), 5–16.

  • Dufourd, C., Finkel, A., & Schnoebelen, P. (1998). Reset nets between decidability and undecidability. In K. G. Larsen, S. Skyum, & G. Winskel (Eds.), Automata, languages and programming (pp. 103–115). Springer.

    Chapter  Google Scholar 

  • Dzung, D., Naedele, M., von Hoff, T. P., & Crevatin, M. (2005). Security for industrial communication systems. Proceedings of the IEEE, 93(6), 1152–1177.

  • Erdős, P., & Rényi, A. (1960). On the evolution of random graphs. Publication of the Mathematical Institute of the Hungarian Academy of Sciences, 5(1), 17–60.

    Google Scholar 

  • Fridgen, G., Stepanek, C., & Wolf, T. (2015). Investigation of exogenous shocks in complex supply networks – A modular Petri net approach. Intl Journal of Production Research, 53(5), 1387–1408.

  • Frustaci, M., Pace, P., Aloi, G., & Fortino, G. (2018). Evaluating critical security issues of the IoT world: Present and future challenges. IEEE Internet of Things Journal, 5(4), 2483–2495.

  • Galloway, B., & Hancke, G. P. (2013). Introduction to industrial control networks. IEEE Communication Surveys and Tutorials, 15(2), 860–880.

  • Gao, J., Buldyrev, S. V., Stanley, H. E., & Havlin, S. (2012). Networks formed from interdependent networks. Nature Physics, 8(1), 40–48.

  • Genge, B., Kiss, I., & Haller, P. (2015). A system dynamics approach for assessing the impact of cyber attacks on critical infrastructures. Intl Journal of Critical Infrastructure Protection, 10, 3–17.

  • Ha, S., & Suh, H.-W. (2008). A timed colored Petri nets modeling for dynamic workflow in product development process. Computers in Industry, 59(2–3), 193–209.

  • Häckel, B., Hänsch, F., Hertel, M., & Übelhör, J. (2018). Assessing IT availability risks in smart factory networks. Business Research.

  • Häckel, B.; Übelhör, J. (2017): Development of Dynamic Key Figures for the Identification of Critical Components in Smart Factory Information Networks. In: ECIS 2017 25, S. 2767–2776.

  • Hallikas, J., Karvonen, I., Pulkkinen, U., Virolainen, V.-M., & Tuominen, M. (2004). Risk management processes in supplier networks. International Journal of Production Economics, 90(1), 47–58.

  • Hermann, M.; Pentek, T.; Otto, B. (2016): Design Principles for Industrie 4.0 Scenarios. In: 49th Hawaii International Conference on System Sciences, S. 3928–3937.

  • Hevner, A. R. (2007). A three-cycle view of design science research. Scandinavian Journal of Information Systems, 19(2), 87–92.

    Google Scholar 

  • Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75–105.

  • Iivari, J. (2007). A paradigmatic analysis of information systems as a design science. Scandinavian Journal of Information Systems, 19(2), 39–64.

    Google Scholar 

  • Ivanov, D., Dolgui, A., Sokolov, B., Werner, F., & Ivanova, M. (2016). A dynamic model and an algorithm for short-term supply chain scheduling in the smart factory industry 4.0. International Journal of Production Research, 54(2), 386–402.

  • Janicki, R., & Koutny, M. (1995). Semantics of inhibitor nets. Information and Computation, 123, 1–16.

  • Jensen, K. (1987). Coloured Petri nets. In G. Rozenberg (Ed.), Advances in Petri nets (254th ed., pp. 248–299). Springer (Lecture Notes in Computer Science).

    Google Scholar 

  • Jensen, K. (1991): Coloured Petri Nets: A High Level Language for System Design and Analysis. In: Jensen (Hg.): High-level Petri nets, S. 44–119.

  • Kämper, S. (1991). On the appropriateness of Petri nets in model building and simulation. Systems Analysis Modelling Simulation, 8(9), 689–714.

    Google Scholar 

  • Kang, C. M., Hong, Y. S., Huh, W. T., & Kang, W. (2015). Risk propagation through a platform: The failure risk perspective on platform sharing. IEEE Transactions on Engineering Management, 62(3), 372–383.

  • Krueger, R. A., & Casey, M. A. (2014). Focus groups. A practical guide for applied research (5th ed.). SAGE.

    Google Scholar 

  • Kupreev, O., Badovskaya, E., Gutnikov, A. (2019). DDoS Reports. DDoS Attacks in Q3 2019. Kaspersky Labs. Accessible under: Accessed 28 Jan 2022.

  • de La Mota, Flores, I., Guasch, A., Piera, A. M., & Mujica, M. M. (2017). Robust modelling and simulation. Springer International Publishing.

    Book  Google Scholar 

  • Lasi, H., Fettke, P., Kemper, H.-G., Feld, T., & Hoffmann, M. (2014). Industry 4.0. Business & Information Systems Engineering, 6(4), 239–242.

  • Lee, E. A., (2008) Cyber Physical Systems: Design Challenges. In: IEEE Intl Symposium on Object Oriented Real-Time Distributed Computing, 363–369.

  • Lee, J., Bagheri, B., & Kao, H.-A. (2015). A cyber-physical systems architecture for industry 4.0-based manufacturing systems. Manufacturing Letters, 3, 18–23.

  • Li, L. (2018). China's manufacturing locus in 2025: With a comparison of “made-in-China 2025” and “industry 4.0”. Technological Forecasting and Social Change, 135, 66–74.

  • Long, F., Zeiler, P., & Bertsche, B. (2016). Modelling the production systems in industry 4.0 and their availability with high-level Petri nets. IFAC-PapersOnLine, 49(12), 145–150.

  • Lucke, D., Constantinescu, C., & Westkämper, E. (2008). Smart factory - a step towards the next generation of manufacturing. In M. Mitsuishi (Ed.), Manufacturing systems and Technologies for the new Frontier (pp. 115–118). Springer.

    Chapter  Google Scholar 

  • March, S. T., & Smith, G. F. (1995). Design and natural science research on information technology. Decision Support Systems, 15(4), 251–266.

  • March, S. T., & Storey, V. C. (2008). Design science in the information systems discipline. An introduction to the special issue on design science research. MIS Quarterly, 32(4), 725–730.

    Article  Google Scholar 

  • Miehle, D.; Häckel, B.; Pfosser, S.; Übelhör, J. (2019): Modeling IT Availability Risks in Smart Factories: a Stochastic Petri Nets Approach. In: Business & Information Systems Engineering.

  • Monostori, L., Kádár, B., Bauernhansl, T., Kondoh, S., Kumara, S., Reinhart, G., et al. (2016). Cyber-physical systems in manufacturing. CIRP Annals, 65(2), 621–641.

  • Murata, T. (1989). Petri nets: Properties, analysis and applications. Proceedings of the IEEE, 77(4), 541–580.

  • Nawir, M.Amir, A.; Yaakob, N.; Lynn, O. B. (2016): Internet of Things (IoT): Taxonomy of security attacks. In: 2016 3rd Intl Conference on Electronic Design, S. 321–326.

  • Olenick, D. (2019). Spirit AeroSystems confirms ASCO Industries cyberattack. SC Magazine. London. Accessible under: Accessed 28 Jan 2022.

  • Osterrieder, P., Budde, L., & Friedli, T. (2020). The smart factory as a key construct of industry 4.0: A systematic literature review. International Journal of Production Economics, 221, S. 107476.

  • Pasqualetti, F., Dorfler, F., & Bullo, F. (2013). Attack detection and identification in cyber-physical systems. IEEE Transactions on Automatic Control, 58(11), 2715–2729.

  • Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of Management Information Systems, 24(3), 45–77.

  • Peterson, J. L. (1977). Petri Nets. ACM Computing Surveys, 9(3), 223–252.

  • Petri, C. A. (1966). Communication with automata. Diploma thesis. Technical University of Darmstadt.

    Google Scholar 

  • Pries-Heje, J.; Baskerville, R.; Venable, J. R. (2008): Strategies for Design Science Research Evaluation. In: European Conf on Information Systems, S. 255–266.

  • Radziwon, A., Bilberg, A., Bogers, M., & Madsen, E. S. (2014). The smart factory: Exploring adaptive and flexible manufacturing solutions. Procedia Engineering, 69, 1184–1190.

  • Ramchandani, C. (1973): Analysis of Asynchronos Concurrent Systems by Timed Petri Nets. Diss. Massachusetts Institute of Technology.

  • Razzaq, M., & Ahmad, J. (2015). Petri net and probabilistic model checking based approach for the modelling, simulation and verification of internet worm propagation. PLoS One, 10(12).

  • Reisig, W. (2013). Understanding Petri Nets. Springer.

    Book  Google Scholar 

  • Rowley, J. (2012). Conducting research interviews. Management Research Review, 35(3/4), 260–271.

  • Ryan, J., & Heavey, C. (2006). Process modeling for simulation. Computers in Industry, 57(5), 437–450.

  • Sadeghi, A-R.; Wachsmann, C.; Waidner, M. (2015): Security and privacy challenges in industrial internet of things. In: 52nd ACM/EDAC/IEEE Design Automation Conference, S. 1–6.

  • Salfner, F.; Wolter, K. (2009): A Petri net model for service availability in redundant computing systems. In: Manuel D. Rossetti (Hg.): Proceedings of the 2009 Winter Simulation Conference. 2009 Winter Simulation Conference. Austin. IEEE, S. 819–826.

  • Sargent, R. G. (2013). Verification and validation of simulation models. Journal of Simulation, 7(1), 12–24.

  • Schuh, G., Potente, T., Varandani, R., Hausberg, C., & Fränken, B. (2014). Collaboration moves productivity to the next level. Procedia CIRP, 17, 3–8.

  • Selic, B., & Gérard, S. (2013). Modeling and analysis of real-time and embedded systems with UML and MARTE. Developing cyber-physical systems. Elsevier Science (The MK / OMG Press).

    Google Scholar 

  • Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & Security, 57, 14–30.

  • Smith, G. E., Watson, K. J., Baker, W. H., & Pokorski II, J. A. (2007). A critical balance: Collaboration and security in the IT-enabled supply chain. Intl Journal of Production Research, 45(11), 2595–2613.

  • Sonnenberg, C.; Vom Brocke, J. (2012): Evaluations in the Science of the Artificial – Reconsidering the Build-Evaluate Pattern in Design Science Research. In: 7th DESRIST Conference, S. 381–397.

  • Sun, Y., Li, L., Shi, H., & Chong, D. (2020). The transformation and upgrade of China's manufacturing industry in industry 4.0 era. Systems Research and Behavioral Science, 37(4), 734–740.

  • Szpyrka, M., & Jasiul, B. (2017). Evaluation of cyber security and modelling of risk propagation with Petri nets. Symmetry, 9(3), 1–32.

  • Tsinarakis, G. J.; Valavanis, K. P.; Tsourveloudis, N. C.: (2003) Modular Petri net based modeling, analysis and synthesis of dedicated production systems. In: Intl Conference on Robotics S. 3559–3564.

  • Tupa, J., Simota, J., & Steiner, F. (2017). Aspects of risk management implementation for industry 4.0. Procedia Manufacturing, 11, 1223–1230.

  • Valk, Rüdiger (1981): Generalizations of Petri nets. In: Gruska, Chytil (Hg.) Mathematical foundations of computer science, Bd. 118, S. 140–155.

  • Vavra, Jan; Hromada, Martin (2015): An evaluation of cyber threats to industrial control systems. In: 2015 Intl Conference on Model Transformation, S. 1–5.

  • Venable, J., Pries-Heje, J., & Baskerville, R (2012). A comprehensive framework for evaluation in design science research. Design Science Research in Information Systems, 7286, 423–438.

  • Verbeek, H. M. W., Wynn, M. T., van der Aalst, W. M. P., & ter Hofstede, A. H. M. (2010). Reduction rules for reset/inhibitor nets. Journal of Computer and System Sciences, 76(2), 125–143.

  • Wagner, S. M., & Neshat, N. (2010). Assessing the vulnerability of supply chains using graph theory. International Journal of Production Economics, 126(1), 121–129.

  • Wang, S., Wan, J., Li, D., & Zhang, C. (2016). Implementing smart factory of Industrie 4.0: An outlook. International Journal of Distributed Sensor Networks, 12(1), 3159805.

  • Wu, T., Blackhurst, J., & O’grady, P. (2007). Methodology for supply chain disruption analysis. International Journal of Production Research, 45(7), 1665–1682.

  • Xu, L. D., Xu, E. L., & Li, L. (2018). Industry 4.0: State of the art and future trends. International Journal of Production Research, 56(8), 2941–2962.

  • Yadav, S. B., & Dong, T. (2014). A comprehensive method to assess work system security risk. Communications of the Association for Information Systems, 34, 8.

  • Yoon, J.-S., Shin, S.-J., & Suh, S.-H. (2012). A conceptual framework for the ubiquitous factory. International Journal of Production Research, 50(8), 2174–2189.

  • Zambon, E., Etalle, S., Wieringa, R. J., & Hartel, P. (2011). Model-based qualitative risk assessment for availability of IT infrastructures. Software and Systems Modeling, 10(4), 553–580.

  • van der Zee, Durk-Jouke (2009): Building Insightful Simulation Models Using Formal Approaches. A Case Study On Petri Nets. In: Manuel D. Rossetti (eds.): Proceedings of the 2009 Winter Simulation Conference. 2009 Winter Simulation Conference. Austin. IEEE, S. 886–898.

  • van der Zee, D.-J. (2011). Building insightful simulation models using Petri nets — A structured approach. Decision Support Systems, 51(1), 53–64.

  • Zhang, C., Wang, S., Wan, J., Zhang, D., Li, D., & Zhang, C. (2016). Towards smart factory for industry 4.0: A self-organized multi-agent system with big data based feedback and coordination. Computer Networks, 101, 158–168.

  • Zhou, M., & Venkatesh, K. (2000). Modeling, simulation and control of flexible manufacturing systems. In A petri net approach (p. 6). World Scientific (Series in intelligent control and intelligent automation).

    Google Scholar 

  • Zuehlke, D. (2010). SmartFactory—Towards a factory-of-things. Annual Reviews in Control, 34(1), 129–138.

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Christopher van Dun.

Ethics declarations

Competing Interests

The authors have no relevant financial or non-financial interests to disclose.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.



Table 6 Full List of Design Objectives

Appendix B – Description of Artefact Instantiation as Software Prototype

We implemented an instantiation of our artefact as a software prototype in order to provide a proof of concept and evaluate its real-world fidelity and applicability by applying it in artificial and naturalistic settings. The software allows us to create different scenarios defining SFNs and simulate stochastic events and their impact on the availability of components. It was built using standard software development concepts and implemented using the numerical computing environment and programming language MATLAB, which is often chosen in scientific research due to its expressiveness and flexibility. We did not use traditional PN modelling software because there is no tool available that covers all used PN extensions and allows us to add additional functionality such as import and export of scenarios and static stochastic (Monte Carlo) simulation. Additionally, MATLAB offers high flexibility and reusability of components. Therefore, PNs are instantiated and manipulated in matrix notation, and the prototype uses built-in MATLAB functionality to simulate stochastic events. All modules of the implementation have been extensively tested to allow for robust, reproducible results. The simulation code can be accessed.Footnote 1

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Berger, S., van Dun, C. & Häckel, B. IT Availability Risks in Smart Factory Networks – Analyzing the Effects of IT Threats on Production Processes Using Petri Nets. Inf Syst Front (2022).

Download citation

  • Accepted:

  • Published:

  • DOI:


  • Smart factory network
  • Information network
  • Production network
  • IT availability risks
  • Attack propagation
  • Petri nets