La strada Pharma4.0 undertaken by production companies in any sector, and in particular also those in the Life Sciences, highlighted that technology coupled with connectivity can lead to more efficiency and more value.
However, we often wonder if we are ready for this "hyper-connection", sometimes forgetting that in many situations the connection has already been active for some time.
Even the Industria4.0/Impresa4.0 plan indicated by Minister Calenda of the Italian government, like many plans in other European countries, recalls that Cyber Security is one of the pillars on which to base one's innovation strategy.
But where are the systems to protect? Certainly in the production departments, where we find control and automation systems on board the production lines, but let's not forget also all the "ancillary" systems such as those for the management of Buildings and Facilities, for the production of water and steam, for the production and management of fluids (gas, water, vacuum, compressed air, etc.) energy management etc.
IF YOU WANT TO BOOK AN APPOINTMENT WITH OUR EXPERTS, WRITE US HERE!
The acronyms used to identify them are then those of the technologies used: PLC, SCADA, DCS, RTU, Historian, Lims, ERBS, DNC/CNC, factory networks, BMS, HVAC, WFI, CMMS, IoT, IIoT, etc. It's these all systems that belong to the domain of OT (Operational Technology) which concerns factory IT, which today wants to differentiate itself from the domain of IT (Information Technology) typical of all "traditional IT" systems, such as management systems, Office applications, email, ERP, HR, etc.
But there is a big difference between IT Security and OT Security.
IT Security aims to defend the data, the Security OT aims to defend the plant controlled by the control/automation system.
The risk it is not so much the loss of the data as loss of control of the system and therefore risk for the safety of people on the plant, for damage to assets same as the plant, the loss of production, of quality, of efficiency etc. ..
Among the most effective tools to use in the OT environment in order to detect anomalies without affecting process performance, there are platforms and devices for the ANOMALY DETECTION: you know what it is?
This aspect is also highlighted by the breadth and specificity of the "attack surface": while in IT we talk about PCs, Servers and the infrastructure that connects them (recently also extended to mobile devices and Cloud applications), in the OT we talk about field buses and networks, factory networks, connections with devices distributed both within the perimeter of the plant(s), but also devices (RTU, PLC, etc.) sometimes distributed throughout the territory and with connections “ open".
Perhaps the most relevant aspect concerns precisely the requirements for the security of the information managed: for IT, the critical issues have been identified in Confidentiality, Integrity, Availability of information in this precise order.
Priorities in the OT world are exactly in reverse order: Availability comes first, with the same level of Integrity, while the requirement of confidentiality in the TO is often left out as often of little relevance. To give an example, in IT it is important to protect data, IP (Intellectual Ptroperty), Privacy (see GDPR), Reputation, Business data, Company exposure on the WEB.
For the OT the production, supply chain, OEE, Traceability, Quality, Operation Continuity systems are important, etc.
However, we must note that in regulated sectors such as Life Sciences, there is a direct interdependence between data protection and the protection of the system that manages production. Indeed, if the plant stops (whether it is due to a "cyber problem", or not) production stops, the finished product cannot be shipped, shipping notes and invoices are not issued and the company does not collect.
But, even if the plant produces regularly, we "lose the data" relating to the batches in production, we still cannot deliver the finished product, we cannot invoice, and we cannot collect. The theme of “Data Integrity” It's gotten hotter and hotter especially lately: data protection is the mantra.
If you think about the acronym ALCOA expectations, to identify the requirements to be met for Data Integrity, means that common "Cyber Security" strategies are being adopted to protect information. Unfortunately, however, even in the recent past when we spoke of Security we only thought of "Access Control": we have examples also in the various formulations of the 21CFR Part11 by FDA and in EU Annex 11
In fact even the Gamp5 reflect this orientation, which was then widespread in 2005 when they were published.
We can see some rethinking in the Good Practice Guide documents issued by ISPE-GAMP in recent years.
However, we can draw some good ideas with an eye to the Compliance of the systems by evaluating the GAMP5 appendices from an Operation Continuity perspective, which is perhaps the most relevant aspect for justifying investments in Security, especially in regulated sectors such as the pharmaceutical one. Hence, to Appendix O11 of Gamp5 entitled "Security Management" (which precisely mentions the confidentiality-integrity-availability triad among the Security requirements) we can add the following appendices from a Security/Operation-Continuity perspective, with the value of "good practice ” to adequately integrate our “Security Policy”:
- O10 “Business Continuity Management”
- O9 “Backup & Restore” O3 “Performance Management”
- O4 Incident Management
- O6 “Operational Change & Configuration Management”O7 “Repair Activity”
- O5 “Corrective & Preventive Action”
- O8 “Periodic Review”
- O13 “Archiving & Retrieval”
We can also recall that there are other important standards consolidated in the industrial world which can be valid references, even if they have not been specifically designed for the Life Science sector: let's talk about the ISA95 standards, which illustrates the functional hierarchical model of systems within industrial organizations, and the standard ISA99 which became IEC62443 which it specifically deals with of the security of systems used in manufacturing.
Particularly IEC62443 in addition to defining models and terminology of networks and systems used in the factory, illustrates how correct network architectures can be achieved with adequate segmentation in Zones and identification and use of Conduit (physical or logical) to allow communications between zones, segregating critical IT assets in protected zones.
NIST in the USA has issued Standards that can be references for the protection of industrial networks and systems: think of SP800-53 generic on Information security in organizations, and SP800-82 more specific as a "Guide to ICS Security".
However, we must note that industrial systems and technologies evolve following i trends dictated by ICT: here then that they are also used in industrial systems, as also predicted by the Industry 4.0 plans Cloud, Industrial Internet, IoT Industry (Internet of Things), Big Data and Analytics, Digital Twins, AR/VR, etc.
These new architectures and technologies impose new protection models as risks, vulnerabilities and threats can be different. In this regard we can then consider among the models and references to be studied, those indicated by CSA (Cloud Security Alliance) as well as NIST documents such as NIST SP800-144 on “Network of Things” and SP800-183 on “Guidelines on Security & privacy in Public Cloud Computing”.
Let's not forget that today threats are widespread and unpredictable, and above all with "collateral damage" that can have very significant impacts.
An example to mention can be the damage caused by ransomware campaigns (such as Cryptolocker, then Wannacry, Pethya, etc.) in the first half of 2017 to industrial companies of all sectors around the world.
Countermeasures, tools and tools to protect networks he systems in industries and utilities today are increasingly evolved and can and do represent an effective response: yesterday perhaps a few simple rules were enough to be adopted in a serious and widespread way throughout the organization. Today it is necessary to take a leap forward in protection strategies and the technologies available today can represent valid tools to "go on producing" (Operation Continuity).
Among the most effective tools to use in the OT environment in order to detect anomalies without affecting process performance, there are platforms and devices for the ANOMALY DETECTION: you know what it is?