OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems,...
Transcript of OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems,...
![Page 1: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/1.jpg)
OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4.0
Enzo M. Tieghi, CEO, ServiTecno Italy – GE Digital Alliance Partner• ISPE Italy Affiliate• CSA Cloud Security Alliance Italia• [email protected]://it.linkedin.com/in/etieghi
![Page 2: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/2.jpg)
INDUSTRY4.0 & CYBER SECURITY2
![Page 3: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/3.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Where are these systems to be protected?
3
Well, everywhere in you Facility: Industrial Processes, Buildings, Packaging, Logistics, Manufacturing & Infrastructures (Power, HVAC, WFI, etc.)
![Page 4: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/4.jpg)
Connecting Pharmaceutical Knowledge ispe.org
DCS (Distributed Control Systems)
PLC and relates Busses(Programmable Controllers)
SCADA/HMI plant flooor networks
Historians, Database, etc.
DNC/CNC, Robot, AGV, 3D-Printers (additive Mfg)
MES, EBRS & Production Management Systems, Traceability, Track and Trace, Efficiency monitoring and Analysis, OEE, etc.
LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation
Remote connections and remote Assett Performance Monitoring and Maintenance(Portals, CMMS, IoT, Industrial IoT, etc.)
Plant Lan, Connected Smart Building and Facility/Building BMS, HVAC, WFI, …
…
Where and What are these systems to be protected?
![Page 5: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/5.jpg)
I
IT BIGWHAT’S THE
DIFFERENCE?
O
OT
![Page 6: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/6.jpg)
ITSecurity is about Data
OTSecurity is about Critical Assets & Operation Continuity
PeopleEnvironmentAssets
RISK and SAFETY
UPTIME & PRODUCTIONQuality and Performance
![Page 7: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/7.jpg)
Different (Wider?) ATTACK SURFACE
Enterprise Network
Internet
ITProtect the Data
OTProtect the Assets
Primary control center
SCADA Network
Remote stations
DCS Local production
DMZ
![Page 8: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/8.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Manufacturing
Chemical
Food &Beverage
Oil& Gas
Power
Healthcare
DataCenter
Security Ops Center
Officers &Directors
B u s i n e s s U n i t
IT Next GenFirewall
P r o d u c t i o n O p s C e n t e r
MPLSINTERNET
TelCo
R e m o t e E m p l o y e e
IT Next GenFirewall
VPND M Z
DomainController
WebProxy Syslog
Router HMI HistorianEngineeringWorkstation
Engineering Server
DCS
PLC
PLC
PLC
PLC
PLC PLC PLC RTU
B a c k B o n e
I n t e g r a t o r / V e n d o r
Supply ChainPLC
8
IT Priority1. Confidentiality2. Integrity3. Availability
OT Priority1. Availability2. Integrity3. Confidentiality
IT Security vs OT Security: Requirements
![Page 9: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/9.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Manufacturing
Chemical
Food &Beverage
Oil& Gas
Power
Healthcare
DataCenter
Security Ops Center
Officers &Directors
B u s i n e s s U n i t
IT Next GenFirewall
P r o d u c t i o n O p s C e n t e r
MPLSINTERNET
TelCo
R e m o t e E m p l o y e e
IT Next GenFirewall
VPND M Z
DomainController
WebProxy Syslog
Router HMI HistorianEngineeringWorkstation
Engineering Server
DCS
PLC
PLC
PLC
PLC
PLC PLC PLC RTU
B a c k B o n e
I n t e g r a t o r / V e n d o r
Supply ChainPLC
9
IT Priorityis about DATA, WEB,IP Protection, GDPR (Privacy),Reputation, Business Data …
OT Priority is about OEE, Supply Chain, Traceability, Operation Continuity, Production, Quality ...
IT Security vs OT Security: Requirements
![Page 10: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/10.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Manufacturing
Chemical
Food &Beverage
Oil& Gas
Power
Healthcare
DataCenter
Security Ops Center
Officers &Directors
B u s i n e s s U n i t
IT Next GenFirewall
P r o d u c t i o n O p s C e n t e r
MPLSINTERNET
TelCo
R e m o t e E m p l o y e e
IT Next GenFirewall
VPND M Z
DomainController
WebProxy Syslog
Router HMI HistorianEngineeringWorkstation
Engineering Server
DCS
PLC
PLC
PLC
PLC
PLC PLC PLC RTU
B a c k B o n e
I n t e g r a t o r / V e n d o r
Supply ChainPLC
10
If your Plant stops, you cannot ship products, send invoices, get money and make revenues …
If your Plant runs, but you loose your Data, you cannotship products, send invoices, get money and make revenues
IT Security vs OT SecurityPlease Remember the Interdependency
![Page 11: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/11.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Talking about DATA means “Data Integrity”: most of ALCOA+ means “Think about Security”
![Page 12: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/12.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Security is not (only) “Access Control”
![Page 13: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/13.jpg)
Connecting Pharmaceutical Knowledge ispe.org
GAMP® 5 and Security: A Risk-Based Approach to Compliant GxP Computerized Systems
13
![Page 14: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/14.jpg)
Connecting Pharmaceutical Knowledge ispe.org
GAMP® Good Practice Guides, and Security
14
GAMP® Good Practice Guide: A Risk-Based Approach to Electronic Records and Signatures
GAMP®Good Practice Guide: A Risk-Based Approach to GxP Compliant Laboratory Computerized Systems (Second Edition)
GAMP® Good Practice Guide: A Risk-Based Approach to GxP Process Control Systems (Second Edition)
GAMP® Good Practice Guide: A Risk-Based Approach to Operation of GxP Computerized Systems - A Companion Volume to GAMP 5
GAMP® Good Practice Guide: A Risk-Based Approach to Regulated Mobile Applications
GAMP® Good Practice Guide: A Risk-Based Approach to Testing of GxP Systems (Second Edition)
GAMP® Good Practice Guide: Electronic Data Archiving
GAMP® Good Practice Guide: Global Information Systems Control and Compliance
GAMP® Good Practice Guide: IT Infrastructure Control and Compliance
GAMP® Good Practice Guide: Legacy Systems
GAMP® Good Practice Guide: Manufacturing Execution Systems – A Strategic and Program Management Approach
![Page 15: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/15.jpg)
Connecting Pharmaceutical Knowledge ispe.org
GAMP® 5: Table of Appendices
15
Security Management
![Page 16: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/16.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Level 4
Level 1
Level 2
Level 3
Business Planning & Logistics
Plant Production Scheduling,Operational Management, etc
Manufacturing Operations Management
Dispatching Production, Detailed ProductionScheduling, Reliability Assurance, ...
BatchControl
DiscreteControl
ContinuousControl
1 - Sensing the production process, manipulating the production process
2 - Monitoring, supervisory control and automated control of the production process
3 - Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process.
Time FrameDays, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -production, material use, delivery, and shipping. Determining inventory levels.
Time FrameMonths, weeks, days
Level 0 0 - The actual production process
Level 4
Level 1
Level 2
Level 3
Business Planning & Logistics
Plant Production Scheduling,Operational Management, etc
Manufacturing Operations Management
Dispatching Production, Detailed ProductionScheduling, Reliability Assurance, ...
BatchControl
DiscreteControl
ContinuousControl
1 - Sensing the production process, manipulating the production process
2 - Monitoring, supervisory control and automated control of the production process
3 - Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process.
Time FrameDays, Shifts, hours, minutes, seconds
4 - Establishing the basic plant schedule -production, material use, delivery, and shipping. Determining inventory levels.
Time FrameMonths, weeks, days
Level 0 0 - The actual production process
ANSI/ISA95 Functional Hierarchy: ISA99/IEC62443, IT vs OT Security
16
![Page 17: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/17.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Network/System Segmentationusing ISA99/IEC62443
17
• Limit the ingress and egress points through Zone boundaries
• Protect the connections between Zones
• Zones & Conduits are logicalFor practical purposes, match Zones to network architecture as much as possible
![Page 18: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/18.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Esempio di “Security Architecture” nei sistemi di automazione e controllo
Enterprise Control Network
Manufacturing Operations
Network
Perimeter Control Network
Control System Network
Process Control Network
![Page 19: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/19.jpg)
Connecting Pharmaceutical Knowledge ispe.orgwww. n o z o m i n e t wo r k s . c o m / C O N F I D E N TI AL
Use Case 1: Network Visualization and MonitoringFrom a ”tangled” situation …
19
![Page 20: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/20.jpg)
Connecting Pharmaceutical Knowledge ispe.orgwww. n o z o m i n e t wo r k s . c o m / C O N F I D E N TI AL
Use Case 1: Network Visualization and Monitoring
20
....with two clicks the operator can filter the communications of interest …
![Page 21: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/21.jpg)
Connecting Pharmaceutical Knowledge ispe.org
NIST: SP800-53, SP800-82, SP800-144, SP800-183
21
![Page 22: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/22.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Which standard for IoT Cybersecurity?
![Page 23: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/23.jpg)
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Security vs. Privacy
(* PII: Personally Identifiable Information)
![Page 24: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/24.jpg)
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Capabilities of an IoT Component
![Page 25: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/25.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Manufacturing
Chemical
Food &Beverage
Oil& Gas
Power
Healthcare
DataCenter
Security Ops Center
Officers &Directors
B u s i n e s s U n i t
IT Next GenFirewall
P r o d u c t i o n O p s C e n t e r
MPLSINTERNET
TelCo
R e m o t e E m p l o y e e
IT Next GenFirewall
VPND M Z
DomainController
WebProxy Syslog
Router HMI HistorianEngineeringWorkstation
Engineering Server
DCS
PLC
PLC
PLC
PLC
PLC PLC PLC RTU
B a c k B o n e
I n t e g r a t o r / V e n d o r
Supply ChainPLC
25
“Old” IT Priorities1. Confidentiality2. Integrity3. Availability
“New” IT/OT/IoT Priorities1. Authentication2. Availability3. Confidentiality 4. Integrity5. Non-Repudiation
IT Security vs OT/IIoT Security: Requirements
![Page 26: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/26.jpg)
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Health IoT Example (Precision Medicine)
![Page 27: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/27.jpg)
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Health IoT Example (Diabetes /Nutrition)
![Page 28: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/28.jpg)
Connecting Pharmaceutical Knowledge ispe.org
NISTIR 8200 (Draft): Smart Building Example
![Page 29: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/29.jpg)
INDUSTRY4.0 & CYBER SECURITY29
• Industrial Internet• Cloud• Big Data, Analytics• IoT, IIoT• Digital Twins
needs differentprotection approach
![Page 30: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/30.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Which is the «real» THREAT today?
![Page 31: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/31.jpg)
Connecting Pharmaceutical Knowledge ispe.org
31
ICS/OT Cyber risk mitigation Security trends
![Page 32: OT/ICS/IIOT CYBER SECURITY RISKS AND INDUSTRY4.0/PHARMA4 · LIMS, QA/QC, Calibration Systems, Measurement and Smart Instrumentation ... Connecting Pharmaceutical Knowledge ispe.org](https://reader030.fdocuments.us/reader030/viewer/2022040319/5e44a682d7fe791d8904eeba/html5/thumbnails/32.jpg)
Connecting Pharmaceutical Knowledge ispe.org
Technology might help ?