OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4.0
Enzo M. Tieghi, CEO, ServiTecno Italy – GE Digital Alliance Partner• ISPE Italy Affiliate• CSA Cloud Security Alliance Italia• [email protected]://it.linkedin.com/in/etieghi
INDUSTRY4.0 & CYBER SECURITY2
Connecting Pharmaceutical Knowledge ispe.org
Where are these systems to be protected?
3
Well, everywhere in you Facility: Industrial Processes, Buildings, Packaging, Logistics, Manufacturing & Infrastructures (Power, HVAC, WFI, etc.)
Connecting Pharmaceutical Knowledge ispe.org
DCS (Distributed Control Systems)
PLC and relates Busses(Programmable Controllers)
SCADA/HMI plant flooor networks
Historians, Database, etc.
DNC/CNC, Robot, AGV, 3D-Printers (additive Mfg)
MES, EBRS & Production Management Systems, Traceability, Track and Trace, Efficiency monitoring and Analysis, OEE, etc.
LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation
Remote connections and remote Assett Performance Monitoring and Maintenance(Portals, CMMS, IoT, Industrial IoT, etc.)
Plant Lan, Connected Smart Building and Facility/Building BMS, HVAC, WFI, …
…
Where and What are these systems to be protected?
I
IT BIGWHAT’S THE
DIFFERENCE?
O
OT
ITSecurity is about Data
OTSecurity is about Critical Assets & Operation Continuity
PeopleEnvironmentAssets
RISK and SAFETY
UPTIME & PRODUCTIONQuality and Performance
Different (Wider?) ATTACK SURFACE
Enterprise Network
Internet
ITProtect the Data
OTProtect the Assets
Primary control center
SCADA Network
Remote stations
DCS Local production
DMZ
Connecting Pharmaceutical Knowledge ispe.org
Manufacturing
Chemical
Food &Beverage
Oil& Gas
Power
Healthcare
DataCenter
Security Ops Center
Officers &Directors
B u s i n e s s U n i t
IT Next GenFirewall
P r o d u c t i o n O p s C e n t e r
MPLSINTERNET
TelCo
R e m o t e E m p l o y e e
IT Next GenFirewall
VPND M Z
DomainController
WebProxy Syslog
Router HMI HistorianEngineeringWorkstation
Engineering Server
DCS
PLC
PLC
PLC
PLC
PLC PLC PLC RTU
B a c k B o n e
I n t e g r a t o r / V e n d o r
Supply ChainPLC
8
IT Priority1. Confidentiality2. Integrity3. Availability
OT Priority1. Availability2. Integrity3. Confidentiality
IT Security vs OT Security: Requirements
Connecting Pharmaceutical Knowledge ispe.org
Manufacturing
Chemical
Food &Beverage
Oil& Gas
Power
Healthcare
DataCenter
Security Ops Center
Officers &Directors
B u s i n e s s U n i t
IT Next GenFirewall
P r o d u c t i o n O p s C e n t e r
MPLSINTERNET
TelCo
R e m o t e E m p l o y e e
IT Next GenFirewall
VPND M Z
DomainController
WebProxy Syslog
Router HMI HistorianEngineeringWorkstation
Engineering Server
DCS
PLC
PLC
PLC
PLC
PLC PLC PLC RTU
B a c k B o n e
I n t e g r a t o r / V e n d o r
Supply ChainPLC
9
IT Priorityis about DATA, WEB,IP Protection, GDPR (Privacy),Reputation, Business Data …
OT Priority is about OEE, Supply Chain, Traceability, Operation Continuity, Production, Quality ...
IT Security vs OT Security: Requirements
Connecting Pharmaceutical Knowledge ispe.org
Manufacturing
Chemical
Food &Beverage
Oil& Gas
Power
Healthcare
DataCenter
Security Ops Center
Officers &Directors
B u s i n e s s U n i t
IT Next GenFirewall
P r o d u c t i o n O p s C e n t e r
MPLSINTERNET
TelCo
R e m o t e E m p l o y e e
IT Next GenFirewall
VPND M Z
DomainController
WebProxy Syslog
Router HMI HistorianEngineeringWorkstation
Engineering Server
DCS
PLC
PLC
PLC
PLC
PLC PLC PLC RTU
B a c k B o n e
I n t e g r a t o r / V e n d o r
Supply ChainPLC
10
If your Plant stops, you cannot ship products, send invoices, get money and make revenues …
If your Plant runs, but you loose your Data, you cannotship products, send invoices, get money and make revenues
IT Security vs OT SecurityPlease Remember the Interdependency
Connecting Pharmaceutical Knowledge ispe.org
Talking about DATA means “Data Integrity”: most of ALCOA+ means “Think about Security”
Connecting Pharmaceutical Knowledge ispe.org
Security is not (only) “Access Control”
Connecting Pharmaceutical Knowledge ispe.org
GAMP® 5 and Security: A Risk-Based Approach to Compliant GxP Computerized Systems
13
Connecting Pharmaceutical Knowledge ispe.org
GAMP® Good Practice Guides, and Security
14
GAMP® Good Practice Guide: A Risk-Based Approach to Electronic Records and Signatures
GAMP®Good Practice Guide: A Risk-Based Approach to GxP Compliant Laboratory Computerized Systems (Second Edition)
GAMP® Good Practice Guide: A Risk-Based Approach to GxP Process Control Systems (Second Edition)
GAMP® Good Practice Guide: A Risk-Based Approach to Operation of GxP Computerized Systems - A Companion Volume to GAMP 5
GAMP® Good Practice Guide: A Risk-Based Approach to Regulated Mobile Applications
GAMP® Good Practice Guide: A Risk-Based Approach to Testing of GxP Systems (Second Edition)
GAMP® Good Practice Guide: Electronic Data Archiving
GAMP® Good Practice Guide: Global Information Systems Control and Compliance
GAMP® Good Practice Guide: IT Infrastructure Control and Compliance
GAMP® Good Practice Guide: Legacy Systems
GAMP® Good Practice Guide: Manufacturing Execution Systems – A Strategic and Program Management Approach
Connecting Pharmaceutical Knowledge ispe.org
GAMP® 5: Table of Appendices
15
Security Management
Connecting Pharmaceutical Knowledge ispe.org
Level 4
Level 1
Level 2
Level 3
Business Planning & Logistics
Plant Production Scheduling,Operational Management, etc
Manufacturing Operations Management
Dispatching Production, Detailed ProductionScheduling, Reliability Assurance, ...
BatchControl
DiscreteControl
ContinuousControl
1 - Sensing the production process, manipulating the production process
2 - Monitoring, supervisory control and automated control of the production process
3 - Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process.
Time FrameDays, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -production, material use, delivery, and shipping. Determining inventory levels.
Time FrameMonths, weeks, days
Level 0 0 - The actual production process
Level 4
Level 1
Level 2
Level 3
Business Planning & Logistics
Plant Production Scheduling,Operational Management, etc
Manufacturing Operations Management
Dispatching Production, Detailed ProductionScheduling, Reliability Assurance, ...
BatchControl
DiscreteControl
ContinuousControl
1 - Sensing the production process, manipulating the production process
2 - Monitoring, supervisory control and automated control of the production process
3 - Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process.
Time FrameDays, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -production, material use, delivery, and shipping. Determining inventory levels.
Time FrameMonths, weeks, days
Level 0 0 - The actual production process
ANSI/ISA95 Functional Hierarchy: ISA99/IEC62443, IT vs OT Security
16
Connecting Pharmaceutical Knowledge ispe.org
Network/System Segmentationusing ISA99/IEC62443
17
• Limit the ingress and egress points through Zone boundaries
• Protect the connections between Zones
• Zones & Conduits are logicalFor practical purposes, match Zones to network architecture as much as possible
Connecting Pharmaceutical Knowledge ispe.org
Esempio di “Security Architecture” nei sistemi di automazione e controllo
Enterprise Control Network
Manufacturing Operations
Network
Perimeter Control Network
Control System Network
Process Control Network
Connecting Pharmaceutical Knowledge ispe.orgwww. n o z o m i n e t wo r k s . c o m / C O N F I D E N TI AL
Use Case 1: Network Visualization and MonitoringFrom a ”tangled” situation …
19
Connecting Pharmaceutical Knowledge ispe.orgwww. n o z o m i n e t wo r k s . c o m / C O N F I D E N TI AL
Use Case 1: Network Visualization and Monitoring
20
....with two clicks the operator can filter the communications of interest …
Connecting Pharmaceutical Knowledge ispe.org
NIST: SP800-53, SP800-82, SP800-144, SP800-183
21
Connecting Pharmaceutical Knowledge ispe.org
Which standard for IoT Cybersecurity?
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Security vs. Privacy
(* PII: Personally Identifiable Information)
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Capabilities of an IoT Component
Connecting Pharmaceutical Knowledge ispe.org
Manufacturing
Chemical
Food &Beverage
Oil& Gas
Power
Healthcare
DataCenter
Security Ops Center
Officers &Directors
B u s i n e s s U n i t
IT Next GenFirewall
P r o d u c t i o n O p s C e n t e r
MPLSINTERNET
TelCo
R e m o t e E m p l o y e e
IT Next GenFirewall
VPND M Z
DomainController
WebProxy Syslog
Router HMI HistorianEngineeringWorkstation
Engineering Server
DCS
PLC
PLC
PLC
PLC
PLC PLC PLC RTU
B a c k B o n e
I n t e g r a t o r / V e n d o r
Supply ChainPLC
25
“Old” IT Priorities1. Confidentiality2. Integrity3. Availability
“New” IT/OT/IoT Priorities1. Authentication2. Availability3. Confidentiality 4. Integrity5. Non-Repudiation
IT Security vs OT/IIoT Security: Requirements
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Health IoT Example (Precision Medicine)
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Health IoT Example (Diabetes /Nutrition)
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Smart Building Example
INDUSTRY4.0 & CYBER SECURITY29
• Industrial Internet• Cloud• Big Data, Analytics• IoT, IIoT• Digital Twins
needs differentprotection approach
Connecting Pharmaceutical Knowledge ispe.org
Which is the «real» THREAT today?
Connecting Pharmaceutical Knowledge ispe.org
31
ICS/OT Cyber risk mitigation Security trends
Connecting Pharmaceutical Knowledge ispe.org
Technology might help ?