山东耀智Lighthouse指定代理商,主营:尘埃粒子计数器,浮游菌采样器等产品

网站首页 > 新闻资讯 > 行业资讯

【深度好文】生产设备PLC/HMI/SCADA的数据完整性风险!

2019-08-08 15:45:19 山东耀智信息科技有限公司 阅读


产设备PLC/HMI/SCADA的数据完整性风险

允咨GMP 

微信号 YOUTH20171219

功能介 上海允咨医科技有限公司是一家服于医GxP一站式培中心,旨在一批具有实战管理经验的高端制量管理人才。

文章转载自公众号 GMP公室  作者 译组 

 

GMP内常的生与工程的设备算机化系大多以PLCProgram Logic Controller 逻辑控制器),HMI Human Machine Interface 人机交互界面-触摸屏),SCADA Supervisory Control And Data Acquisition即数据采集与监视控制系)三形式存在;例如自动压片机,干机,包衣机,水制分配及控系监测

 

相比于先前数据完整性暴中心QC实验室,生和工程的算机化系普遍存在着:老旧(如仍使用Windows XP),机版系多,流程中部件元多,无数据份和详细审计追踪,限隔离不清,数据配置可被非法修改除等问题

 

检查缺陷

 

2018524签发FDA 483FEI  3008565058)中就提及了生产设备数据完整性相的缺陷:

图片2.png 

 

检查发现针对数据完整性:  

 

(公司内)算机化系缺乏合适的管控手段来确保生和控制的主数据和记录master production and control records仅仅被授人士来修改

指出,公司的生产设备不符合21 CFR Part 11  

a. 现阶段,XX机版生产设备未能配置合适的HMI/PLC/SCADA,因此它缺少带时间戳的审计追踪,数据管理,警管理,记录归档与恢等功能  

b. 现阶段,XX机版设备有内置的HMI,但是HMI缺少带时间戳的审计追踪,数据管理,警管理,记录归档与恢等功能  

c. 现阶段,XX机版设备有内置的SCADA,但是SCADA缺少带时间戳的审计追踪,数据管理,警管理,记录归档与恢等功能;设备仅仅可以打印针对CPP关键过程参数)的实时审计追踪告用以核填写BMR(批次生产记录

 

PDA期刊:SCADA的数据完整性风险

 

PDA期刊中刊登了SCADA的数据完整性风险

 

 

Data Integrity Risks on SCADA Systems

SCADA数据完整性性风险

 

SCADA (Supervisory Control and Data Acquisition) software vendors have historically served industries that require tight controls over system configurations and data records. As a result, modern SCADA software systems have evolved to provide a robust set of tools intrinsically designed to prevent the intentional or unintentional undetectable alteration of system data. Most notably, the integration of electronic record management, electronic signatures, logical security, and audit trail functions are built-in or made available as optional features to provide compliance with FDA 21 CFR Part 11. However, there are several considerations and controls that are worth looking at regarding data integrity.

SCADA(监测控制和数据采集)件供来服于各个需要格控制系配置和数据记录的行。因此,SCADA件系经发展到能提供一套大的工具,其内在设计可以防止系数据有意或无意的不可检测的更改。最得注意的是,记录管理、名、逻辑安全和审计追踪功能的集成是内置的,或作功能,以提供符合 FDA 21 CFR Part 11 的法。但是,在数据完整性方面有几个注意事和控制措施注。

 

The front line defense is, of course, the security of the process network. Physical security of all network components should be considered in the design of the system. Production facilities, system servers, network switches, PLCs, IO modules, process instrumentation, and where possible, production workstation terminals should be kept under lock-and-key with access limited to as few individuals as necessary to operate and maintain the network hardware systems. Logical security should be limited to a documented list of authorized individuals, with clearly delineated permissions limiting their access to only those system functions commensurate to their level of responsibility and qualification to access or generate data on the system.

当然,前线防御是流程网的安全性。在系统设计所有网络组件的物理安全性。生产设施、系器、网机、PLCIO表,和生工作站端(如有)妥善保管,并且访问仅限于需要硬件系统进行操作和维护的人逻辑安全限于批准的人,并有正式清,明确划分限限制其访问权限于与其访问或生成的级别格相称的系功能系上的数据。

 

Clear guidelines for establishing security for a SCADA system are provided in the National Institute of Standards and Technology, Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security (Rev.2, May 2015,https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf). The document addresses security risks for Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC).

美国准与技研究所SCADA安全性的提供了明确的指南, 出版800-82,工控制系 (ICS)安全指南(20155月第2,https://nvlpubs.nist.gov/nistpubs/NIST/NIST.SP.800-82r2.pdf)指南包括监测控制和数据采集(SCADA)、分布式控制系(DCS)和其他控制系配置(如可逻辑控制器((PLC))的安全风险

 

The Executive Summary of the Guide document offers examples of the types of possible incidents that might occur as a result of data security breaches or a lack of adequate data security on an industrial control system:

《指南》文件明了由于数据安全漏洞或工控制系缺乏足的数据安全而可能生的事件:

· Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.

阻止或延ICS 上的信息流,可能ICS运行中断。

· Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.

指令、命令或的未的更改,可能会坏、或使设备失效或停止,造成境影响和/或危及人的生命。

· Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects.

操作的不准确信息,致未的更改被掩盖,或致操作采取不恰当的行可能会生各种负面影响。

· ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects.

ICS 件或配置置被修改,或 ICS 件感染件,可能会生各种负面影响。

· Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.

设备运行受到干,可能危及昂以更设备

· Interference with the operation of safety systems, which could endanger human life.

安全系运行,可能危及人的生命。

 

Notably, the Executive Summary does not highlight the potential loss, adulteration, or alteration to process data history stored in a SCADA database. This risk is, however, addressed extensively throughout the document.

得注意的是,指南没有强调 SCADA 数据中的工数据史的潜在失、假或更改。但是,在整个文件中广泛讨论风险

 

The Executive Summary of the Guide document highlights the major security objectives for an ICS:

《指南》强调ICS的主要安全目

 

· Restricting logical access to the ICS network and network activity.

限制 ICS 和网逻辑访问

· Restricting physical access to the ICS network and devices.

限制 ICS 设备的物理访问

· Protecting individual ICS components from exploitation.

ICS 件免受攻

· Restricting unauthorized modification of data.

限制未的数据修改。

· Detecting security events and incidents.

检测安全事件和事故。

· Maintaining functionality during adverse conditions.

劣条件下保持功能。

· Restoring the system after an incident.

生事故后原系

 

In a typical ICS this means a defense-in-depth strategy that includes:

在典型的 ICS 中,意味着深度防御略,其中包括:

 

· Developing security policies, procedures, training and educational material that applies specifically to the ICS.

制定适用于 ICS 的安全政策、程序、培和教育材料。

· Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases.

根据国土安全咨胁级别,考 ICS 的安全政策和程序,威胁级别越高,安全态势格。

· Addressing security throughout the lifecycle of the ICS from architecture design to procurement, to installation to maintenance to decommissioning.

解决 ICS 从架构设计到采安装、维护、退役整个生命周期的安全问题

· Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

具有多个 ICS 实现拓扑,最关键的通信生在最安全可靠的中。

· Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks, unidirectional gateways).

提供公司网 ICS 逻辑分离(例如,网向网的有状态检查防火)

· Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks).

使用 DMZ 体系(即防止公司网 ICS 的直接交互)

· Ensuring that critical components are redundant and are on redundant networks.

确保关键组件是冗余的,并且位于冗余网上。

· Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.

设计用于功能故障()关键,以防止灾级联事件。

· Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation.

测试后禁用 ICS 设备上未使用的端口和服,以确保不会影响 ICS 操作。

· Restricting physical access to the ICS network and devices.

限制 ICS 设备的物理访问

· Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege).

 ICS 户权限限制为仅执行个人工作所需的(即建立基于角色的访问控制和基于限最小化原配置个角色)

· Using separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts).

 ICS 使用独立于公司网的用身份验证机制和凭据( ICS 络帐户不使用公司网户帐户)

· Using modern technology, such as smart cards for Personal Identity Verification (PIV).

使用代技,如用于个人身份验证 (PIV) 的智能卡。

· Implementing security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.

施安全控制,如入侵检测软件、防病毒件和文件完整性检查软(如果技上可行),以防止、阻止、检测和减轻恶件的入侵、暴露和播。

· Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate.

将加密和/或加密哈希等安全技术应用于 ICS 数据存和通信(如果确定适当)

· Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS.

如有可能,在测试环境下测试所有丁后,在 安装至ICS 之前尽快部署安全丁。

· Tracking and monitoring audit trails on critical areas of the ICS.

跟踪和监测 ICS 关键区域的审计追踪。

· Employing reliable and secure network protocols and services where feasible.

在可行的情况下使用可靠和安全的网络协议和服

 

典型的PLC/HMI/SCADA – 架构

 

图片3.png 

 

 

典型的PLC/HMI/SCADA – 数据流

 

图片4.png 

2. 典型自化生工程系的数据流示意[1]

 

12,在典型的自化生和工程系中:

数据流是:设备运行→PLC采集于设备→PLC数据→ HMI机版)短数据→ SCADA(集成版)存数据

 

21 CFR Part  211.68(b)  EU Annex 11 p5 都明确要求:确保数据完整性,算机化系的数据,记录或者其他信息,其入和出都必需检查其准确性。  ´为满足上述期望,(企)需要定期验证认计算机化系硬件以及接口,来确保直接来源设备的数据的准确性和可靠性(TGACode of GMP,2013)。

 

典型的PLC/HMI/SCADA – 数据管控措施

 

如下2所示,确保数据完整性,在整个数据流程:

1. 首先,需要受管控(如前文提到的带时间戳的审计追踪)的CGMP 子数据是指数据最保存时间必需是CGMP操作同一时间Data Integrity – ALCOA Contemporaneous性要求);所以PLC Transient Data不是,而SCADASaved Data 在是CGMP子数据(21 CFR 211.100b))。

2. SCADA上存CGMP子数据完整性需要带时间戳的审计追踪,数据管理,警管理,记录归档与恢等数据管控措施( EU Annex 11 )。 

3. PLCHMI上的临时数据完整性基于IT础设施确GAMP5IT Infrastructure qualification,设备I/O准确性测试EU Annex 15.  

 

的措施

 

纯设备or外加自控PLC

1.启用前设备,生中参数有记录,任何修改有流程控制

2.周期性校验传感器和参数

3.Time Stamp - 时钟,定期校,操作写批次记录时实时记录

 

设备+PLC+HMI(最数据存

1.HMI 数据CGMP E-data;需算机化系统验证 功能包括如用管理,限隔离,带时间戳的审计追踪,数据管理,告,警管理,记录归档与恢

2.如果受限于性能,上述审计追踪,数据份,限功能实现不了,临时措施可以以流程控制-操作日志本+纸质报+字,期来看,重要设备需要做CSV改造(MES or SCADA)。

 

设备+PLC+HMI机)+SCADA(集成)

SCADA数据CGMP E-data;需算机化系统验证 功能包括如用管理,限隔离,带时间戳的审计追踪,数据管理,告,警管理,记录归档与恢

 

声明:上述内容供交流学使用,文中述、点判断保持中立,不所包含内容的准确性、可靠性或完整性提供任何明示或暗示的保作参考,并各位自行承担全部任。版权归原作者所有,如遇版权问题请联系小编删除。