La strada Pharma4.0 undertaken by production companies in any sector, and in particular also those in the Life Sciences, has highlighted that technology combined with connectivity can lead to more efficiency and more value.
However, we often wonder if we are ready for this "hyper-connection", sometimes forgetting that in many situations the connection has already been active for some time.
Even the Industria4.0-Impresa4.0 plan indicated by Minister Calenda of the Italian government, like many plans in other European countries, recalls that Cyber Security is one of the pillars on which to base one's innovation strategy.
COME AND VISIT US AT PHARMINTECH 2019!
But where are the systems to protect?
Certainly in production departments, where we find control and automation systems on board the production lines, but let's not forget also all "ancillary" systems such as those for the Building and Facility management, water and steam production, fluid production and management (gas, water, vacuum, compressed air, etc.), energy management, etc.
The acronyms used to identify them are then those of the technologies used: PLC, SCADA, DCS, RTU, Historian, Lims, ERBS, DNC/CNC, factory networks, BMS, HVAC, WFI, CMMS, IoT, IIoT, etc.
Are these all systems that belong to the domain of OT (Operational Technology) which concerns factory IT, which today wants to differentiate itself from the domain of IT (Information Technology) typical of all "traditional IT" systems, such as management systems, Office applications, email, ERP, HR, etc.
But there is a big difference between IT Security and OT Security.
La Security IT aims to defend the data, Security OT aims to defend the plant controlled by the control/automation system.
The risk not è both the loss of the data, how much the loss of control of the system and therefore risk for the safety of people on the system, for damage to the plant assets themselves, the loss of production, quality, efficiency, etc.
This aspect is also highlighted by theamplitude and the specificity of the "attack surface”: while in IT we talk about PCs, Servers and the infrastructure that connects them (recently also extended to mobile devices and Cloud applications), in OT we talk about buses and field networks, factory networks, connections with distributed devices both within the perimeter of the plant(s), but also devices (RTU, PLC, etc.) sometimes distributed throughout the territory and with "open" connections.
Perhaps the most relevant aspect concerns precisely the requirements for the security of the managed information: for IT, the critical issues have been identified in Confidentiality, Integrity, Availability of information in this precise order.
Priorities in the OT world are exactly in reverse order: Availability comes first, with Integrity at the same level, while the confidentiality requirement in OT is often overlooked as often of little relevance.
To give an example, in IT it is important to protect data, IP (Intellectual Ptroperty), Privacy (see GDPR), Reputation, Business data, Company exposure on the WEB.
For the OT, production systems, supply chain, OEE, Traceability, Quality, Operation Continuity, etc. are important.
However, we must note that in regulated sectors such as Life Sciences, there is a direct interdependence between data protection and the protection of the system that manages production.
In fact, if the plant stops (whether it is due to a "cyber problem", or not) we stop producing, we are unable to ship the finished product, we do not issue shipping notes and invoices and the company does not cash.
HOW MUCH IS EACH HOUR OF DOWNTIME?
But, even if the plant produces regularly, we "lose the data" relating to production lots, we cannot yet deliver the finished product, we cannot invoice, e we cannot cash out.
The theme of “Data Integrity” it has become increasingly hot especially in recent times: protecting the data is the mantra. If you think about the acronym ALCOA expectations , to identify the requirements to be met for Data Integrity, means that common "Cyber Security" strategies are being adopted to protect information.
Unfortunately, however, even in the recent past when we spoke of Security we only thought of "Access Control": we have examples also in the various formulations of the 21CFR Part11 of the FDA and in the EU Annex 11.
In fact, Gamp5 also reflect this orientation, which was then widespread in 2005 when they were published.
We can see some rethinking in the Good Practice Guide documents issued by ISPE-GAMP in recent years.
However, we can draw some good ideas with an eye to system compliance by evaluating the GAMP5 Appendices from an Operation Continuity perspective, which is perhaps the most relevant aspect to justify investments in Security, especially in regulated sectors such as pharmaceuticals.
Here then is that at the Appendix O11 of Gamp5 entitled "Security Management" (which just mentions the confidentiality-integrity-availability triad among the Security requirements) from a Security/Operation-Continuity perspective, we can add the following appendices, with the value of "good practice" to adequately integrate our "Security Policy":
- O10 "Business Continuity Management"
- O9 “Backup & Restore”
- O3 “Performance Management”
- O4 "Incident Management"
- O6 “Operational Change & Configuration Management”
- O7 “Repair Activity”
- O5 "Corrective & Preventive Action"
- O8 “Periodic Review”
- O13 “Archiving & Retrieval”
We can also mention that there are other important ones established standards in the industrial world which can be valid references, even if they haven't been specifically designed for the Life Science sector: let's talk about ISA95 standards, which illustrates the functional hierarchical model of systems within industrial organizations, and the standard ISA99 become IEC62443 which deals specifically with the security of systems used in manufacturing.
Particularly IEC62443 in addition to defining models and terminology of networks and systems used in the factory, it illustrates how correct network architectures can be created with adequate segmentation into Zones and identification and use of Conduit (physical or logical) to allow communications between zones, segregating IT assets critical in protected areas.
Also NIST in USA has issued Standards that can be references for the protection of industrial networks and systems: let's think about SP800-53 generic on Information security in organizations, e SP800-82 more specific as “Guide to ICS Security”.
However, we must note that industrial systems and technologies evolve following the trends dictated by ICT: here, then, even in industrial systems, as also predicted by the Industry4.0 plans, Cloud, Industrial Internet, Industry IoT (Internet of Things) are used, Big Data and Analytics, Digital Twins, AR/VR, etc.
These new architectures and technologies impose new protection models as risks, vulnerabilities and threats can be different.
In this regard we can then consider among the models and references to study, those indicated by CSA (Cloud Security Alliance) in addition to NIST documents such as NIST SP800-144 on “Network of Things” and SP800-183 on “Guidelines on Security & privacy in Public Cloud Computing”.
Let's not forget that today threats are widespread and unpredictable, and above all with "collateral damage" that can have very significant impacts. An example to mention can be the damage caused by ransomware campaigns (such as Cryptolocker, then Wannacry, Pethya, etc.) in the first half of 2017 to industrial companies of all sectors around the world.
Countermeasures, instruments and tools to protect networks and systems in industries and utilities today are increasingly evolved and can and can represent an effective response: yesterday perhaps a few simple rules were enough to be adopted in a serious and widespread way throughout the organization. Today it is necessary to take a leap forward in protection strategies and the technologies available today can represent valid tools to "go on producing" (Operation Continuity).
COME AND VISIT US AT PHARMINTECH 2019!
But where are the systems to protect?