【深度好文】生产设备PLC/HMI/SCADA的数据完整性风险!
生产设备PLC/HMI/SCADA的数据完整性风险!
GMP范围内常见的生产与工程的设备的计算机化系统大多以PLC(Program Logic Controller 可编程逻辑控制器),HMI (Human Machine Interface 人机交互界面-触摸屏),SCADA( Supervisory Control And Data Acquisition即数据采集与监视控制系统)三类形式存在;例如自动压片机,冻干机,包衣机,纯水制备分配及监控系统,环境监测系统。
相比于先前“数据完整性风暴中心”的QC实验室,生产和工程的计算机化系统更普遍存在着:系统老旧(如仍使用Windows XP),单机版系统多,流程中部件单元多,无数据备份和详细审计追踪,权限隔离不清,数据配置可被非法修改删除等问题。
检查缺陷
2018年5月24日签发的FDA 483(FEI 编号 3008565058)中就提及了生产设备数据完整性相关的缺陷:
检查发现,针对数据完整性:
(公司内)计算机化系统缺乏合适的管控手段来确保生产和控制的主数据和记录(master production and control records)仅仅能够被授权人士来修改。
特别指出,贵公司的生产设备不符合21 CFR Part 11:
a. 现阶段,有XX个单机版生产设备未能配置合适的HMI/PLC/SCADA系统,因此它们缺少带时间戳的审计追踪,数据管理,报警管理,记录归档与恢复等功能;
b. 现阶段,有XX个单机版设备有内置的HMI,但是这些HMI缺少带时间戳的审计追踪,数据管理,报警管理,记录归档与恢复等功能;
c. 现阶段,有XX个单机版设备有内置的SCADA,但是这些SCADA缺少带时间戳的审计追踪,数据管理,报警管理,记录归档与恢复等功能;这些设备仅仅可以打印针对CPP(关键过程参数)的实时审计追踪报告用以核对填写BMR(批次生产记录)。
PDA期刊:SCADA系统的数据完整性风险
在PDA期刊中刊登了关于SCADA系统的数据完整性风险:
Data Integrity Risks on SCADA Systems
SCADA系统数据完整性性风险
SCADA (Supervisory Control and Data Acquisition) software vendors have historically served industries that require tight controls over system configurations and data records. As a result, modern SCADA software systems have evolved to provide a robust set of tools intrinsically designed to prevent the intentional or unintentional undetectable alteration of system data. Most notably, the integration of electronic record management, electronic signatures, logical security, and audit trail functions are built-in or made available as optional features to provide compliance with FDA 21 CFR Part 11. However, there are several considerations and controls that are worth looking at regarding data integrity.
SCADA(监测控制和数据采集)软件供应商历来服务于各个需要严格控制系统配置和数据记录的行业。因此,现代SCADA软件系统已经发展到能够提供一套强大的工具,其内在设计可以防止系统数据有意或无意的不可检测的更改。最值得注意的是,电子记录管理、电子签名、逻辑安全和审计追踪功能的集成是内置的,或作为可选功能,以提供符合 FDA 21 CFR Part 11 的法规。但是,在数据完整性方面有几个注意事项和控制措施值得关注。
The front line defense is, of course, the security of the process network. Physical security of all network components should be considered in the design of the system. Production facilities, system servers, network switches, PLCs, IO modules, process instrumentation, and where possible, production workstation terminals should be kept under lock-and-key with access limited to as few individuals as necessary to operate and maintain the network hardware systems. Logical security should be limited to a documented list of authorized individuals, with clearly delineated permissions limiting their access to only those system functions commensurate to their level of responsibility and qualification to access or generate data on the system.
当然,前线防御是流程网络的安全性。在系统设计中应考虑所有网络组件的物理安全性。生产设施、系统服务器、网络交换机、PLC、IO模块、过程仪表,和生产工作站终端(如有)应妥善保管,并且访问仅限于需要对网络硬件系统进行操作和维护的人员。逻辑安全应限于经批准的人员,并有正式清单,明确划分权限限制其访问权限仅限于与其访问或生成的责任级别和资格相称的系统功能系统上的数据。
Clear guidelines for establishing security for a SCADA system are provided in the National Institute of Standards and Technology, Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security (Rev.2, May 2015,https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf). The document addresses security risks for Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC).
美国标准与技术研究所为SCADA系统安全性的提供了明确的指南, 特别出版800-82,工业控制系统 (ICS)安全指南(2015年5月第2版,https://nvlpubs.nist.gov/nistpubs/NIST/NIST.SP.800-82r2.pdf)。该指南包括监测控制和数据采集(SCADA)系统、分布式控制系统(DCS)和其他控制系统配置(如可编程逻辑控制器((PLC))的安全风险。
The Executive Summary of the Guide document offers examples of the types of possible incidents that might occur as a result of data security breaches or a lack of adequate data security on an industrial control system:
《指南》文件举例说明了由于数据安全漏洞或工业控制系统缺乏足够的数据安全而可能发生的事件类型:
· Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
阻止或延迟ICS 网络上的信息流,可能导致ICS运行中断。
· Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
对指令、命令或报警值的未经授权的更改,可能会损坏、或使设备失效或停止,造成环境影响和/或危及人的生命。
· Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects.
发送给系统操作员的不准确信息,导致未经授权的更改被掩盖,或导致操作员采取不恰当的行动,这可能会产生各种负面影响。
· ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects.
ICS 软件或配置设置被修改,或 ICS 软件感染恶意软件,这可能会产生各种负面影响。
· Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
设备保护系统运行受到干扰,可能危及昂贵且难以更换的设备。
· Interference with the operation of safety systems, which could endanger human life.
干扰安全系统运行,可能危及人的生命。
Notably, the Executive Summary does not highlight the potential loss, adulteration, or alteration to process data history stored in a SCADA database. This risk is, however, addressed extensively throughout the document.
值得注意的是,指南没有强调存储在 SCADA 数据库中的工艺数据历史的潜在丢失、掺假或更改。但是,在整个文件中广泛讨论了这一风险。
The Executive Summary of the Guide document highlights the major security objectives for an ICS:
《指南》强调了ICS的主要安全目标:
· Restricting logical access to the ICS network and network activity.
限制对 ICS 网络和网络活动的逻辑访问。
· Restricting physical access to the ICS network and devices.
限制对 ICS 网络和设备的物理访问。
· Protecting individual ICS components from exploitation.
保护各ICS 组件免受攻击。
· Restricting unauthorized modification of data.
限制未经授权的数据修改。
· Detecting security events and incidents.
检测安全事件和事故。
· Maintaining functionality during adverse conditions.
在恶劣条件下保持功能。
· Restoring the system after an incident.
发生事故后还原系统。
In a typical ICS this means a defense-in-depth strategy that includes:
在典型的 ICS 中,这意味着深度防御战略,其中包括:
· Developing security policies, procedures, training and educational material that applies specifically to the ICS.
制定适用于 ICS 的安全政策、程序、培训和教育材料。
· Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases.
根据国土安全咨询系统威胁级别,考虑 ICS 的安全政策和程序,威胁级别越高,安全态势越严格。
· Addressing security throughout the lifecycle of the ICS from architecture design to procurement, to installation to maintenance to decommissioning.
解决 ICS 从架构设计到采购、安装、维护、退役整个生命周期的安全问题。
· Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
为具有多个层的 ICS 实现网络拓扑,最关键的通信发生在最安全可靠的层中。
· Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks, unidirectional gateways).
提供公司网络和 ICS 网络之间的逻辑分离(例如,网络、单向网关之间的有状态检查防火墙)。
· Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks).
使用 DMZ 网络体系结构(即防止公司网络和 ICS 网络之间的直接交互)。
· Ensuring that critical components are redundant and are on redundant networks.
确保关键组件是冗余的,并且位于冗余网络上。
· Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.
设计用于功能故障(容错)的关键系统,以防止灾难性级联事件。
· Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation.
在测试后禁用 ICS 设备上未使用的端口和服务,以确保这不会影响 ICS 操作。
· Restricting physical access to the ICS network and devices.
限制对 ICS 网络和设备的物理访问。
· Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege).
将 ICS 用户权限限制为仅执行个人工作所需的权限(即建立基于角色的访问控制和基于权限最小化原则配置每个角色)。
· Using separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts).
对 ICS 网络使用独立于公司网络的用户身份验证机制和凭据(即 ICS 网络帐户不使用公司网络用户帐户)。
· Using modern technology, such as smart cards for Personal Identity Verification (PIV).
使用现代技术,如用于个人身份验证 (PIV) 的智能卡。
· Implementing security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.
实施安全控制,如入侵检测软件、防病毒软件和文件完整性检查软件(如果技术上可行),以防止、阻止、检测和减轻恶意软件的入侵、暴露和传播。
· Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate.
将加密和/或加密哈希等安全技术应用于 ICS 数据存储和通信(如果确定适当)。
· Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS.
如有可能,在测试环境下测试所有补丁后,在 安装至ICS 之前尽快部署安全补丁。
· Tracking and monitoring audit trails on critical areas of the ICS.
跟踪和监测 ICS 关键区域的审计追踪。
· Employing reliable and secure network protocols and services where feasible.
在可行的情况下使用可靠和安全的网络协议和服务。
典型的PLC/HMI/SCADA – 系统架构
典型的PLC/HMI/SCADA – 数据流
图2. 典型自动化生产工程系统的数据流示意图[1]
结合图1和图2,在典型的自动化生产和工程系统中:
数据流是:设备持续运行→PLC采集于设备→PLC短暂数据→ HMI(单机版)短暂数据→ SCADA(集成版)存储数据
21 CFR Part 211.68(b) 与 EU Annex 11 p5 都明确要求:为确保数据完整性,计算机化系统的数据,记录或者其他信息,其输入和输出都必需检查确认其准确性。 ´为满足上述期望,(企业)需要定期验证确认计算机化系统的软硬件以及接口,来确保直接来源设备的数据的准确性和可靠性(TGA,Code of GMP,2013)。
典型的PLC/HMI/SCADA – 数据管控措施
如下图2所示,为确保数据完整性,在整个数据流过程:
1. 首先,需要受管控(如前文提到的带时间戳的审计追踪)的CGMP 电子数据是指该数据最终保存时间必需是执行CGMP操作同一时间(Data Integrity – ALCOA中 Contemporaneous同时性要求);所以PLC Transient 短暂Data不是,而SCADA中Saved Data 在是CGMP电子数据(21 CFR 211.100(b))。
2. SCADA上存储的CGMP电子数据完整性需要带时间戳的审计追踪,数据管理,报警管理,记录归档与恢复等数据管控措施( EU Annex 11 )。
3. PLC和HMI上的临时短暂数据完整性则基于IT基础设施确认(GAMP5:IT Infrastructure qualification),设备校验,I/O准确性测试(EU Annex 15).
建议的措施
纯设备or外加自控PLC
1.启用前设备确认,生产中参数有记录,任何修改有流程控制
2.周期性校验传感器和参数设置
3.Time Stamp - 生产区设置时钟,定期校验,操作员写批次记录时实时记录
设备+PLC+HMI(最终数据存储)
1.HMI 数据为CGMP E-data;需计算机化系统验证 功能包括如用户管理,权限隔离,带时间戳的审计追踪,数据管理,产生报告,报警管理,记录归档与恢复等
2.如果受限于性能,上述审计追踪,数据备份,权限功能实现不了,临时措施可以以流程控制-操作日志本+纸质报告+签字,长期来看,对重要设备需要做CSV技术升级改造(MES or SCADA)。
设备+PLC+HMI(单机)+SCADA(集成)
SCADA数据为CGMP E-data;需计算机化系统验证 功能包括如用户管理,权限隔离,带时间戳的审计追踪,数据管理,产生报告,报警管理,记录归档与恢复等
免责声明:上述内容仅供交流学习使用,对文中陈述、观点判断保持中立,不对所包含内容的准确性、可靠性或完整性提供任何明示或暗示的保证。仅作参考,并请各位自行承担全部责任。版权归原作者所有,如遇版权问题请联系小编删除。