生產(chǎn)設備PLC/HMI/SCADA的數(shù)據(jù)完整性風險！

允咨GMP制藥技術培訓 

微信號 YOUTH20171219

功能介紹 上海允咨醫(yī)藥科技有限公司是一家服務于醫(yī)藥行業(yè)的GxP一站式培訓服務中心，旨在為行業(yè)培訓一批具有實戰(zhàn)管理經(jīng)驗的高端制藥技術與質(zhì)量管理人才。

文章轉(zhuǎn)載自公眾號 GMP辦公室 ， 作者 翻譯組 

GMP范圍內(nèi)常見的生產(chǎn)與工程的設備的計算機化系統(tǒng)大多以PLC（Program Logic Controller 可編程邏輯控制器），HMI （Human Machine Interface 人機交互界面-觸摸屏），SCADA（ Supervisory Control And Data Acquisition即數(shù)據(jù)采集與監(jiān)視控制系統(tǒng)）三類形式存在；例如自動壓片機，凍干機，包衣機，純水制備分配及監(jiān)控系統(tǒng)，環(huán)境監(jiān)測系統(tǒng)。

相比于先前“數(shù)據(jù)完整性風暴中心”的QC實驗室，生產(chǎn)和工程的計算機化系統(tǒng)更普遍存在著：系統(tǒng)老舊（如仍使用Windows XP），單機版系統(tǒng)多，流程中部件單元多，無數(shù)據(jù)備份和詳細審計追蹤，權限隔離不清，數(shù)據(jù)配置可被非法修改刪除等問題。

檢查缺陷

2018年5月24日簽發(fā)的FDA 483（FEI 編號 3008565058）中就提及了生產(chǎn)設備數(shù)據(jù)完整性相關的缺陷：

檢查發(fā)現(xiàn)，針對數(shù)據(jù)完整性：  

（公司內(nèi)）計算機化系統(tǒng)缺乏合適的管控手段來確保生產(chǎn)和控制的主數(shù)據(jù)和記錄（master production and control records）僅僅能夠被授權人士來修改。

特別指出，貴公司的生產(chǎn)設備不符合21 CFR Part 11：  

a. 現(xiàn)階段，有XX個單機版生產(chǎn)設備未能配置合適的HMI/PLC/SCADA系統(tǒng)，因此它們缺少帶時間戳的審計追蹤，數(shù)據(jù)管理，報警管理，記錄歸檔與恢復等功能；  

b. 現(xiàn)階段，有XX個單機版設備有內(nèi)置的HMI，但是這些HMI缺少帶時間戳的審計追蹤，數(shù)據(jù)管理，報警管理，記錄歸檔與恢復等功能；  

c. 現(xiàn)階段，有XX個單機版設備有內(nèi)置的SCADA，但是這些SCADA缺少帶時間戳的審計追蹤，數(shù)據(jù)管理，報警管理，記錄歸檔與恢復等功能；這些設備僅僅可以打印針對CPP（關鍵過程參數(shù)）的實時審計追蹤報告用以核對填寫BMR（批次生產(chǎn)記錄）。

PDA期刊：SCADA系統(tǒng)的數(shù)據(jù)完整性風險

在PDA期刊中刊登了關于SCADA系統(tǒng)的數(shù)據(jù)完整性風險：

Data Integrity Risks on SCADA Systems

SCADA系統(tǒng)數(shù)據(jù)完整性性風險

SCADA (Supervisory Control and Data Acquisition) software vendors have historically served industries that require tight controls over system configurations and data records. As a result, modern SCADA software systems have evolved to provide a robust set of tools intrinsically designed to prevent the intentional or unintentional undetectable alteration of system data. Most notably, the integration of electronic record management, electronic signatures, logical security, and audit trail functions are built-in or made available as optional features to provide compliance with FDA 21 CFR Part 11. However, there are several considerations and controls that are worth looking at regarding data integrity.

SCADA(監(jiān)測控制和數(shù)據(jù)采集)軟件供應商歷來服務于各個需要嚴格控制系統(tǒng)配置和數(shù)據(jù)記錄的行業(yè)。因此，現(xiàn)代SCADA軟件系統(tǒng)已經(jīng)發(fā)展到能夠提供一套強大的工具，其內(nèi)在設計可以防止系統(tǒng)數(shù)據(jù)有意或無意的不可檢測的更改。最值得注意的是，電子記錄管理、電子簽名、邏輯安全和審計追蹤功能的集成是內(nèi)置的，或作為可選功能，以提供符合 FDA 21 CFR Part 11 的法規(guī)。但是，在數(shù)據(jù)完整性方面有幾個注意事項和控制措施值得關注。

The front line defense is, of course, the security of the process network. Physical security of all network components should be considered in the design of the system. Production facilities, system servers, network switches, PLCs, IO modules, process instrumentation, and where possible, production workstation terminals should be kept under lock-and-key with access limited to as few individuals as necessary to operate and maintain the network hardware systems. Logical security should be limited to a documented list of authorized individuals, with clearly delineated permissions limiting their access to only those system functions commensurate to their level of responsibility and qualification to access or generate data on the system.

當然，前線防御是流程網(wǎng)絡的安全性。在系統(tǒng)設計中應考慮所有網(wǎng)絡組件的物理安全性。生產(chǎn)設施、系統(tǒng)服務器、網(wǎng)絡交換機、PLC、IO模塊、過程儀表，和生產(chǎn)工作站終端（如有）應妥善保管，并且訪問僅限于需要對網(wǎng)絡硬件系統(tǒng)進行操作和維護的人員。邏輯安全應限于經(jīng)批準的人員，并有正式清單，明確劃分權限限制其訪問權限僅限于與其訪問或生成的責任級別和資格相稱的系統(tǒng)功能系統(tǒng)上的數(shù)據(jù)。

Clear guidelines for establishing security for a SCADA system are provided in the National Institute of Standards and Technology, Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security (Rev.2, May 2015,https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf). The document addresses security risks for Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC).

美國標準與技術研究所為SCADA系統(tǒng)安全性的提供了明確的指南, 特別出版800-82，工業(yè)控制系統(tǒng) (ICS)安全指南(2015年5月第2版,https://nvlpubs.nist.gov/nistpubs/NIST/NIST.SP.800-82r2.pdf)。該指南包括監(jiān)測控制和數(shù)據(jù)采集(SCADA)系統(tǒng)、分布式控制系統(tǒng)(DCS)和其他控制系統(tǒng)配置(如可編程邏輯控制器（（PLC））的安全風險。

The Executive Summary of the Guide document offers examples of the types of possible incidents that might occur as a result of data security breaches or a lack of adequate data security on an industrial control system:

《指南》文件舉例說明了由于數(shù)據(jù)安全漏洞或工業(yè)控制系統(tǒng)缺乏足夠的數(shù)據(jù)安全而可能發(fā)生的事件類型:

· Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.

阻止或延遲ICS 網(wǎng)絡上的信息流，可能導致ICS運行中斷。

· Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.

對指令、命令或報警值的未經(jīng)授權的更改，可能會損壞、或使設備失效或停止，造成環(huán)境影響和/或危及人的生命。

· Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects.

發(fā)送給系統(tǒng)操作員的不準確信息，導致未經(jīng)授權的更改被掩蓋，或導致操作員采取不恰當?shù)男?/span>動，這可能會產(chǎn)生各種負面影響。

· ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects.

ICS 軟件或配置設置被修改，或 ICS 軟件感染惡意軟件，這可能會產(chǎn)生各種負面影響。

· Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.

設備保護系統(tǒng)運行受到干擾，可能危及昂貴且難以更換的設備。

· Interference with the operation of safety systems, which could endanger human life.

干擾安全系統(tǒng)運行，可能危及人的生命。

Notably, the Executive Summary does not highlight the potential loss, adulteration, or alteration to process data history stored in a SCADA database. This risk is, however, addressed extensively throughout the document.

值得注意的是，指南沒有強調(diào)存儲在 SCADA 數(shù)據(jù)庫中的工藝數(shù)據(jù)歷史的潛在丟失、摻假或更改。但是，在整個文件中廣泛討論了這一風險。

The Executive Summary of the Guide document highlights the major security objectives for an ICS:

《指南》強調(diào)了ICS的主要安全目標：

· Restricting logical access to the ICS network and network activity.

限制對 ICS 網(wǎng)絡和網(wǎng)絡活動的邏輯訪問。

· Restricting physical access to the ICS network and devices.

限制對 ICS 網(wǎng)絡和設備的物理訪問。

· Protecting individual ICS components from exploitation.

保護各ICS 組件免受攻擊。

· Restricting unauthorized modification of data.

限制未經(jīng)授權的數(shù)據(jù)修改。

· Detecting security events and incidents.

檢測安全事件和事故。

· Maintaining functionality during adverse conditions.

在惡劣條件下保持功能。

· Restoring the system after an incident.

發(fā)生事故后還原系統(tǒng)。

In a typical ICS this means a defense-in-depth strategy that includes:

在典型的 ICS 中，這意味著深度防御戰(zhàn)略，其中包括:

· Developing security policies, procedures, training and educational material that applies specifically to the ICS.

制定適用于 ICS 的安全政策、程序、培訓和教育材料。

· Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases.

根據(jù)國土安全咨詢系統(tǒng)威脅級別，考慮 ICS 的安全政策和程序，威脅級別越高，安全態(tài)勢越嚴格。

· Addressing security throughout the lifecycle of the ICS from architecture design to procurement, to installation to maintenance to decommissioning.

解決 ICS 從架構設計到采購、安裝、維護、退役整個生命周期的安全問題。

· Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

為具有多個層的 ICS 實現(xiàn)網(wǎng)絡拓撲，最關鍵的通信發(fā)生在最安全可靠的層中。

· Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks, unidirectional gateways).

提供公司網(wǎng)絡和 ICS 網(wǎng)絡之間的邏輯分離(例如，網(wǎng)絡、單向網(wǎng)關之間的有狀態(tài)檢查防火墻)。

· Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks).

使用 DMZ 網(wǎng)絡體系結(jié)構(即防止公司網(wǎng)絡和 ICS 網(wǎng)絡之間的直接交互)。

· Ensuring that critical components are redundant and are on redundant networks.

確保關鍵組件是冗余的,并且位于冗余網(wǎng)絡上。

· Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.

設計用于功能故障(容錯)的關鍵系統(tǒng)，以防止災難性級聯(lián)事件。

· Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation.

在測試后禁用 ICS 設備上未使用的端口和服務，以確保這不會影響 ICS 操作。

· Restricting physical access to the ICS network and devices.

限制對 ICS 網(wǎng)絡和設備的物理訪問。

· Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege).

將 ICS 用戶權限限制為僅執(zhí)行個人工作所需的權限(即建立基于角色的訪問控制和基于權限最小化原則配置每個角色)。

· Using separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts).

對 ICS 網(wǎng)絡使用獨立于公司網(wǎng)絡的用戶身份驗證機制和憑據(jù)(即 ICS 網(wǎng)絡帳戶不使用公司網(wǎng)絡用戶帳戶)。

· Using modern technology, such as smart cards for Personal Identity Verification (PIV).

使用現(xiàn)代技術，如用于個人身份驗證 (PIV) 的智能卡。

· Implementing security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.

實施安全控制，如入侵檢測軟件、防病毒軟件和文件完整性檢查軟件(如果技術上可行)，以防止、阻止、檢測和減輕惡意軟件的入侵、暴露和傳播。

· Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate.

將加密和/或加密哈希等安全技術應用于 ICS 數(shù)據(jù)存儲和通信(如果確定適當)。

· Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS.

如有可能，在測試環(huán)境下測試所有補丁后，在 安裝至ICS 之前盡快部署安全補丁。

· Tracking and monitoring audit trails on critical areas of the ICS.

跟蹤和監(jiān)測 ICS 關鍵區(qū)域的審計追蹤。

· Employing reliable and secure network protocols and services where feasible.

在可行的情況下使用可靠和安全的網(wǎng)絡協(xié)議和服務。

典型的PLC/HMI/SCADA – 系統(tǒng)架構

典型的PLC/HMI/SCADA – 數(shù)據(jù)流

圖2. 典型自動化生產(chǎn)工程系統(tǒng)的數(shù)據(jù)流示意圖[1]

結(jié)合圖1和圖2，在典型的自動化生產(chǎn)和工程系統(tǒng)中：

數(shù)據(jù)流是：設備持續(xù)運行→PLC采集于設備→PLC短暫數(shù)據(jù)→ HMI（單機版）短暫數(shù)據(jù)→ SCADA（集成版）存儲數(shù)據(jù)

21 CFR Part  211.68(b) 與 EU Annex 11 p5 都明確要求：為確保數(shù)據(jù)完整性，計算機化系統(tǒng)的數(shù)據(jù)，記錄或者其他信息，其輸入和輸出都必需檢查確認其準確性。  ′為滿足上述期望，（企業(yè)）需要定期驗證確認計算機化系統(tǒng)的軟硬件以及接口，來確保直接來源設備的數(shù)據(jù)的準確性和可靠性（TGA，Code of GMP,2013）。

典型的PLC/HMI/SCADA – 數(shù)據(jù)管控措施

如下圖2所示，為確保數(shù)據(jù)完整性，在整個數(shù)據(jù)流過程：

1. 首先，需要受管控（如前文提到的帶時間戳的審計追蹤）的CGMP 電子數(shù)據(jù)是指該數(shù)據(jù)最終保存時間必需是執(zhí)行CGMP操作同一時間（Data Integrity – ALCOA中 Contemporaneous同時性要求）；所以PLC Transient 短暫Data不是，而SCADA中Saved Data 在是CGMP電子數(shù)據(jù)（21 CFR 211.100（b））。

2. SCADA上存儲的CGMP電子數(shù)據(jù)完整性需要帶時間戳的審計追蹤，數(shù)據(jù)管理，報警管理，記錄歸檔與恢復等數(shù)據(jù)管控措施（ EU Annex 11 ）。 

3. PLC和HMI上的臨時短暫數(shù)據(jù)完整性則基于IT基礎設施確認（GAMP5：IT Infrastructure qualification）,設備校驗，I/O準確性測試（EU Annex 15）.  

建議的措施

純設備or外加自控PLC

1.啟用前設備確認，生產(chǎn)中參數(shù)有記錄，任何修改有流程控制

2.周期性校驗傳感器和參數(shù)設置

3.Time Stamp - 生產(chǎn)區(qū)設置時鐘，定期校驗，操作員寫批次記錄時實時記錄

設備+PLC+HMI（最終數(shù)據(jù)存儲）

1.HMI 數(shù)據(jù)為CGMP E-data；需計算機化系統(tǒng)驗證 功能包括如用戶管理，權限隔離，帶時間戳的審計追蹤，數(shù)據(jù)管理，產(chǎn)生報告，報警管理，記錄歸檔與恢復等

2.如果受限于性能，上述審計追蹤，數(shù)據(jù)備份，權限功能實現(xiàn)不了，臨時措施可以以流程控制-操作日志本+紙質(zhì)報告+簽字，長期來看，對重要設備需要做CSV技術升級改造（MES or SCADA）。

設備+PLC+HMI（單機）+SCADA（集成）

SCADA數(shù)據(jù)為CGMP E-data；需計算機化系統(tǒng)驗證 功能包括如用戶管理，權限隔離，帶時間戳的審計追蹤，數(shù)據(jù)管理，產(chǎn)生報告，報警管理，記錄歸檔與恢復等

免責聲明：上述內(nèi)容僅供交流學習使用，對文中陳述、觀點判斷保持中立，不對所包含內(nèi)容的準確性、可靠性或完整性提供任何明示或暗示的保證。僅作參考，并請各位自行承擔全部責任。版權歸原作者所有，如遇版權問題請聯(lián)系小編刪除。