Multi-factor authentication rollout for production scheduling

MES AVEVA MES
, , , , , , , ,
1

We recently completed a full MFA rollout across our production scheduling environment running AM 2023.1. The project was driven by compliance requirements and several unauthorized access incidents in Q1. Our implementation focused on three key areas: integrating MFA with our existing authentication infrastructure, implementing step-up authentication for sensitive operations, and enhancing audit logging for security monitoring.

We deployed hardware tokens for shop floor supervisors and mobile authenticators for planning staff. The step-up authentication triggers whenever users attempt to override production schedules or modify resource allocations. All authentication events now flow into our centralized SIEM system with detailed context about what operations were attempted.

The rollout took 6 weeks including pilot testing with 15 users before full deployment to 200+ scheduling users. We’ve seen a 75% reduction in unauthorized access attempts and zero security incidents since go-live. Happy to share implementation details and lessons learned.

2

The audit logging piece is what interests me most. Are you capturing just authentication events or also the business context? Our auditors want to see not just ‘who logged in’ but ‘who changed what schedule and when’ with full traceability.

3

Completely policy-based through AM’s security framework. We defined risk levels for different operations in the production scheduling module. High-risk actions like schedule overrides, resource reassignments, and emergency work order creation trigger step-up prompts. Medium-risk operations like viewing sensitive cost data require re-authentication if the session is older than 2 hours.

The policies are configured in XML and can be updated without code changes. We integrated with our existing identity provider using SAML, so the step-up challenge flows through the same authentication backend. This gave us centralized policy management across all our manufacturing systems.

4

Did you encounter any performance issues with the additional authentication checks? We’re concerned about latency for real-time scheduling operations where milliseconds matter.

5

We went with YubiKeys after extensive testing. The USB-C and NFC dual-mode support was crucial for our mixed device environment. Shop floor supervisors use rugged tablets with NFC, while planners have standard workstations. RSA tokens would have required separate mobile apps which added friction.

For adoption, we ran hands-on training sessions at shift changes - 30 minutes per group. The key was demonstrating that MFA actually speeds up their workflow because they don’t need to remember complex passwords anymore. Touch the key, authenticate once per shift, and you’re done. We also created quick reference cards laminated and posted at each workstation.

6

Great questions from both of you. Mark - yes, we capture full business context in our audit logs. Every authentication event includes the user identity, authentication method, device fingerprint, operation attempted, and the actual data being accessed or modified. For schedule changes specifically, we log the before/after state, affected work orders, resource IDs, and timestamp deltas.

The audit integration was straightforward using AM’s event framework. We implemented custom event handlers that enrich authentication events with business context before sending to our SIEM. The logs include correlation IDs that tie authentication events to subsequent operations, making it easy to trace an entire user session.

Rachel - performance impact has been negligible. The initial MFA authentication adds about 800ms during login, but that’s a one-time hit per shift. Step-up authentication for high-risk operations adds 200-300ms, but these are infrequent actions where users expect a confirmation dialog anyway. Real-time scheduling operations use the cached authentication token with no additional latency.

We did extensive load testing during our pilot. With 200 concurrent users performing mixed operations, we saw zero degradation in scheduling response times. The key was implementing proper token caching and ensuring our identity provider could handle the authentication load. We also configured authentication failover to a secondary IdP for resilience.

Key implementation details:

MFA Integration Approach:

  • FIDO2/WebAuthn protocol for YubiKeys (passwordless)
  • TOTP backup method for mobile users without hardware tokens
  • Grace period authentication for emergency scenarios (requires manager approval)
  • Seamless SSO integration with other manufacturing systems

Step-up Authentication Triggers:

  • Schedule override operations (any deviation from approved plan)
  • Resource capacity modifications (>10% change)
  • Emergency work order creation (unplanned downtime)
  • Historical data modifications (audit trail concerns)
  • Bulk operations affecting >50 work orders

Audit Log Enhancements:

  • Real-time streaming to Splunk via syslog
  • Structured JSON format with 40+ contextual fields
  • Correlation IDs linking auth events to business operations
  • Geographic location tracking (IP geolocation)
  • Device fingerprinting for anomaly detection
  • Retention policy: 7 years for compliance

Lessons learned: Start with a small pilot group that includes both tech-savvy and resistant users. Their feedback was invaluable. Also, don’t underestimate the importance of executive sponsorship - having our plant manager visibly use MFA accelerated adoption. Budget extra time for integration testing with legacy systems that might not fully support modern auth protocols.

The 75% reduction in unauthorized access attempts came from a combination of MFA deterrence and better visibility into suspicious patterns through enhanced logging. We can now detect and respond to anomalies within minutes instead of discovering them weeks later during audits.