生產(chǎn)設(shè)備PLC/HMI/SCADA的數(shù)據(jù)完整性風(fēng)險(xiǎn)！

允咨GMP制藥技術(shù)培訓(xùn) 

微信號(hào) YOUTH20171219

功能介紹 上海允咨醫(yī)藥科技有限公司是一家服務(wù)于醫(yī)藥行業(yè)的GxP一站式培訓(xùn)服務(wù)中心，旨在為行業(yè)培訓(xùn)一批具有實(shí)戰(zhàn)管理經(jīng)驗(yàn)的高端制藥技術(shù)與質(zhì)量管理人才。

文章轉(zhuǎn)載自公眾號(hào) GMP辦公室 ， 作者 翻譯組 

GMP范圍內(nèi)常見的生產(chǎn)與工程的設(shè)備的計(jì)算機(jī)化系統(tǒng)大多以PLC（Program Logic Controller 可編程邏輯控制器），HMI （Human Machine Interface 人機(jī)交互界面-觸摸屏），SCADA（ Supervisory Control And Data Acquisition即數(shù)據(jù)采集與監(jiān)視控制系統(tǒng)）三類形式存在；例如自動(dòng)壓片機(jī)，凍干機(jī)，包衣機(jī)，純水制備分配及監(jiān)控系統(tǒng)，環(huán)境監(jiān)測(cè)系統(tǒng)。

相比于先前“數(shù)據(jù)完整性風(fēng)暴中心”的QC實(shí)驗(yàn)室，生產(chǎn)和工程的計(jì)算機(jī)化系統(tǒng)更普遍存在著：系統(tǒng)老舊（如仍使用Windows XP），單機(jī)版系統(tǒng)多，流程中部件單元多，無數(shù)據(jù)備份和詳細(xì)審計(jì)追蹤，權(quán)限隔離不清，數(shù)據(jù)配置可被非法修改刪除等問題。

檢查缺陷

2018年5月24日簽發(fā)的FDA 483（FEI 編號(hào) 3008565058）中就提及了生產(chǎn)設(shè)備數(shù)據(jù)完整性相關(guān)的缺陷：

檢查發(fā)現(xiàn)，針對(duì)數(shù)據(jù)完整性：  

（公司內(nèi)）計(jì)算機(jī)化系統(tǒng)缺乏合適的管控手段來確保生產(chǎn)和控制的主數(shù)據(jù)和記錄（master production and control records）僅僅能夠被授權(quán)人士來修改。

特別指出，貴公司的生產(chǎn)設(shè)備不符合21 CFR Part 11：  

a. 現(xiàn)階段，有XX個(gè)單機(jī)版生產(chǎn)設(shè)備未能配置合適的HMI/PLC/SCADA系統(tǒng)，因此它們缺少帶時(shí)間戳的審計(jì)追蹤，數(shù)據(jù)管理，報(bào)警管理，記錄歸檔與恢復(fù)等功能；  

b. 現(xiàn)階段，有XX個(gè)單機(jī)版設(shè)備有內(nèi)置的HMI，但是這些HMI缺少帶時(shí)間戳的審計(jì)追蹤，數(shù)據(jù)管理，報(bào)警管理，記錄歸檔與恢復(fù)等功能；  

c. 現(xiàn)階段，有XX個(gè)單機(jī)版設(shè)備有內(nèi)置的SCADA，但是這些SCADA缺少帶時(shí)間戳的審計(jì)追蹤，數(shù)據(jù)管理，報(bào)警管理，記錄歸檔與恢復(fù)等功能；這些設(shè)備僅僅可以打印針對(duì)CPP（關(guān)鍵過程參數(shù)）的實(shí)時(shí)審計(jì)追蹤報(bào)告用以核對(duì)填寫BMR（批次生產(chǎn)記錄）。

PDA期刊：SCADA系統(tǒng)的數(shù)據(jù)完整性風(fēng)險(xiǎn)

在PDA期刊中刊登了關(guān)于SCADA系統(tǒng)的數(shù)據(jù)完整性風(fēng)險(xiǎn)：

Data Integrity Risks on SCADA Systems

SCADA系統(tǒng)數(shù)據(jù)完整性性風(fēng)險(xiǎn)

SCADA (Supervisory Control and Data Acquisition) software vendors have historically served industries that require tight controls over system configurations and data records. As a result, modern SCADA software systems have evolved to provide a robust set of tools intrinsically designed to prevent the intentional or unintentional undetectable alteration of system data. Most notably, the integration of electronic record management, electronic signatures, logical security, and audit trail functions are built-in or made available as optional features to provide compliance with FDA 21 CFR Part 11. However, there are several considerations and controls that are worth looking at regarding data integrity.

SCADA(監(jiān)測(cè)控制和數(shù)據(jù)采集)軟件供應(yīng)商歷來服務(wù)于各個(gè)需要嚴(yán)格控制系統(tǒng)配置和數(shù)據(jù)記錄的行業(yè)。因此，現(xiàn)代SCADA軟件系統(tǒng)已經(jīng)發(fā)展到能夠提供一套強(qiáng)大的工具，其內(nèi)在設(shè)計(jì)可以防止系統(tǒng)數(shù)據(jù)有意或無意的不可檢測(cè)的更改。最值得注意的是，電子記錄管理、電子簽名、邏輯安全和審計(jì)追蹤功能的集成是內(nèi)置的，或作為可選功能，以提供符合 FDA 21 CFR Part 11 的法規(guī)。但是，在數(shù)據(jù)完整性方面有幾個(gè)注意事項(xiàng)和控制措施值得關(guān)注。

The front line defense is, of course, the security of the process network. Physical security of all network components should be considered in the design of the system. Production facilities, system servers, network switches, PLCs, IO modules, process instrumentation, and where possible, production workstation terminals should be kept under lock-and-key with access limited to as few individuals as necessary to operate and maintain the network hardware systems. Logical security should be limited to a documented list of authorized individuals, with clearly delineated permissions limiting their access to only those system functions commensurate to their level of responsibility and qualification to access or generate data on the system.

當(dāng)然，前線防御是流程網(wǎng)絡(luò)的安全性。在系統(tǒng)設(shè)計(jì)中應(yīng)考慮所有網(wǎng)絡(luò)組件的物理安全性。生產(chǎn)設(shè)施、系統(tǒng)服務(wù)器、網(wǎng)絡(luò)交換機(jī)、PLC、IO模塊、過程儀表，和生產(chǎn)工作站終端（如有）應(yīng)妥善保管，并且訪問僅限于需要對(duì)網(wǎng)絡(luò)硬件系統(tǒng)進(jìn)行操作和維護(hù)的人員。邏輯安全應(yīng)限于經(jīng)批準(zhǔn)的人員，并有正式清單，明確劃分權(quán)限限制其訪問權(quán)限僅限于與其訪問或生成的責(zé)任級(jí)別和資格相稱的系統(tǒng)功能系統(tǒng)上的數(shù)據(jù)。

Clear guidelines for establishing security for a SCADA system are provided in the National Institute of Standards and Technology, Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security (Rev.2, May 2015,https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf). The document addresses security risks for Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC).

美國(guó)標(biāo)準(zhǔn)與技術(shù)研究所為SCADA系統(tǒng)安全性的提供了明確的指南, 特別出版800-82，工業(yè)控制系統(tǒng) (ICS)安全指南(2015年5月第2版,https://nvlpubs.nist.gov/nistpubs/NIST/NIST.SP.800-82r2.pdf)。該指南包括監(jiān)測(cè)控制和數(shù)據(jù)采集(SCADA)系統(tǒng)、分布式控制系統(tǒng)(DCS)和其他控制系統(tǒng)配置(如可編程邏輯控制器（（PLC））的安全風(fēng)險(xiǎn)。

The Executive Summary of the Guide document offers examples of the types of possible incidents that might occur as a result of data security breaches or a lack of adequate data security on an industrial control system:

《指南》文件舉例說明了由于數(shù)據(jù)安全漏洞或工業(yè)控制系統(tǒng)缺乏足夠的數(shù)據(jù)安全而可能發(fā)生的事件類型:

· Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.

阻止或延遲ICS 網(wǎng)絡(luò)上的信息流，可能導(dǎo)致ICS運(yùn)行中斷。

· Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.

對(duì)指令、命令或報(bào)警值的未經(jīng)授權(quán)的更改，可能會(huì)損壞、或使設(shè)備失效或停止，造成環(huán)境影響和/或危及人的生命。

· Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects.

發(fā)送給系統(tǒng)操作員的不準(zhǔn)確信息，導(dǎo)致未經(jīng)授權(quán)的更改被掩蓋，或導(dǎo)致操作員采取不恰當(dāng)?shù)男?/span>動(dòng)，這可能會(huì)產(chǎn)生各種負(fù)面影響。

· ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects.

ICS 軟件或配置設(shè)置被修改，或 ICS 軟件感染惡意軟件，這可能會(huì)產(chǎn)生各種負(fù)面影響。

· Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.

設(shè)備保護(hù)系統(tǒng)運(yùn)行受到干擾，可能危及昂貴且難以更換的設(shè)備。

· Interference with the operation of safety systems, which could endanger human life.

干擾安全系統(tǒng)運(yùn)行，可能危及人的生命。

Notably, the Executive Summary does not highlight the potential loss, adulteration, or alteration to process data history stored in a SCADA database. This risk is, however, addressed extensively throughout the document.

值得注意的是，指南沒有強(qiáng)調(diào)存儲(chǔ)在 SCADA 數(shù)據(jù)庫(kù)中的工藝數(shù)據(jù)歷史的潛在丟失、摻假或更改。但是，在整個(gè)文件中廣泛討論了這一風(fēng)險(xiǎn)。

The Executive Summary of the Guide document highlights the major security objectives for an ICS:

《指南》強(qiáng)調(diào)了ICS的主要安全目標(biāo)：

· Restricting logical access to the ICS network and network activity.

限制對(duì) ICS 網(wǎng)絡(luò)和網(wǎng)絡(luò)活動(dòng)的邏輯訪問。

· Restricting physical access to the ICS network and devices.

限制對(duì) ICS 網(wǎng)絡(luò)和設(shè)備的物理訪問。

· Protecting individual ICS components from exploitation.

保護(hù)各ICS 組件免受攻擊。

· Restricting unauthorized modification of data.

限制未經(jīng)授權(quán)的數(shù)據(jù)修改。

· Detecting security events and incidents.

檢測(cè)安全事件和事故。

· Maintaining functionality during adverse conditions.

在惡劣條件下保持功能。

· Restoring the system after an incident.

發(fā)生事故后還原系統(tǒng)。

In a typical ICS this means a defense-in-depth strategy that includes:

在典型的 ICS 中，這意味著深度防御戰(zhàn)略，其中包括:

· Developing security policies, procedures, training and educational material that applies specifically to the ICS.

制定適用于 ICS 的安全政策、程序、培訓(xùn)和教育材料。

· Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases.

根據(jù)國(guó)土安全咨詢系統(tǒng)威脅級(jí)別，考慮 ICS 的安全政策和程序，威脅級(jí)別越高，安全態(tài)勢(shì)越嚴(yán)格。

· Addressing security throughout the lifecycle of the ICS from architecture design to procurement, to installation to maintenance to decommissioning.

解決 ICS 從架構(gòu)設(shè)計(jì)到采購(gòu)、安裝、維護(hù)、退役整個(gè)生命周期的安全問題。

· Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

為具有多個(gè)層的 ICS 實(shí)現(xiàn)網(wǎng)絡(luò)拓?fù)?，?/span>關(guān)鍵的通信發(fā)生在最安全可靠的層中。

· Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks, unidirectional gateways).

提供公司網(wǎng)絡(luò)和 ICS 網(wǎng)絡(luò)之間的邏輯分離(例如，網(wǎng)絡(luò)、單向網(wǎng)關(guān)之間的有狀態(tài)檢查防火墻)。

· Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks).

使用 DMZ 網(wǎng)絡(luò)體系結(jié)構(gòu)(即防止公司網(wǎng)絡(luò)和 ICS 網(wǎng)絡(luò)之間的直接交互)。

· Ensuring that critical components are redundant and are on redundant networks.

確保關(guān)鍵組件是冗余的,并且位于冗余網(wǎng)絡(luò)上。

· Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.

設(shè)計(jì)用于功能故障(容錯(cuò))的關(guān)鍵系統(tǒng)，以防止災(zāi)難性級(jí)聯(lián)事件。

· Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation.

在測(cè)試后禁用 ICS 設(shè)備上未使用的端口和服務(wù)，以確保這不會(huì)影響 ICS 操作。

· Restricting physical access to the ICS network and devices.

限制對(duì) ICS 網(wǎng)絡(luò)和設(shè)備的物理訪問。

· Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege).

將 ICS 用戶權(quán)限限制為僅執(zhí)行個(gè)人工作所需的權(quán)限(即建立基于角色的訪問控制和基于權(quán)限最小化原則配置每個(gè)角色)。

· Using separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts).

對(duì) ICS 網(wǎng)絡(luò)使用獨(dú)立于公司網(wǎng)絡(luò)的用戶身份驗(yàn)證機(jī)制和憑據(jù)(即 ICS 網(wǎng)絡(luò)帳戶不使用公司網(wǎng)絡(luò)用戶帳戶)。

· Using modern technology, such as smart cards for Personal Identity Verification (PIV).

使用現(xiàn)代技術(shù)，如用于個(gè)人身份驗(yàn)證 (PIV) 的智能卡。

· Implementing security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.

實(shí)施安全控制，如入侵檢測(cè)軟件、防病毒軟件和文件完整性檢查軟件(如果技術(shù)上可行)，以防止、阻止、檢測(cè)和減輕惡意軟件的入侵、暴露和傳播。

· Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate.

將加密和/或加密哈希等安全技術(shù)應(yīng)用于 ICS 數(shù)據(jù)存儲(chǔ)和通信(如果確定適當(dāng))。

· Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS.

如有可能，在測(cè)試環(huán)境下測(cè)試所有補(bǔ)丁后，在 安裝至ICS 之前盡快部署安全補(bǔ)丁。

· Tracking and monitoring audit trails on critical areas of the ICS.

跟蹤和監(jiān)測(cè) ICS 關(guān)鍵區(qū)域的審計(jì)追蹤。

· Employing reliable and secure network protocols and services where feasible.

在可行的情況下使用可靠和安全的網(wǎng)絡(luò)協(xié)議和服務(wù)。

典型的PLC/HMI/SCADA – 系統(tǒng)架構(gòu)

典型的PLC/HMI/SCADA – 數(shù)據(jù)流

圖2. 典型自動(dòng)化生產(chǎn)工程系統(tǒng)的數(shù)據(jù)流示意圖[1]

結(jié)合圖1和圖2，在典型的自動(dòng)化生產(chǎn)和工程系統(tǒng)中：

數(shù)據(jù)流是：設(shè)備持續(xù)運(yùn)行→PLC采集于設(shè)備→PLC短暫數(shù)據(jù)→ HMI（單機(jī)版）短暫數(shù)據(jù)→ SCADA（集成版）存儲(chǔ)數(shù)據(jù)

21 CFR Part  211.68(b) 與 EU Annex 11 p5 都明確要求：為確保數(shù)據(jù)完整性，計(jì)算機(jī)化系統(tǒng)的數(shù)據(jù)，記錄或者其他信息，其輸入和輸出都必需檢查確認(rèn)其準(zhǔn)確性。  ′為滿足上述期望，（企業(yè)）需要定期驗(yàn)證確認(rèn)計(jì)算機(jī)化系統(tǒng)的軟硬件以及接口，來確保直接來源設(shè)備的數(shù)據(jù)的準(zhǔn)確性和可靠性（TGA，Code of GMP,2013）。

典型的PLC/HMI/SCADA – 數(shù)據(jù)管控措施

如下圖2所示，為確保數(shù)據(jù)完整性，在整個(gè)數(shù)據(jù)流過程：

1. 首先，需要受管控（如前文提到的帶時(shí)間戳的審計(jì)追蹤）的CGMP 電子數(shù)據(jù)是指該數(shù)據(jù)最終保存時(shí)間必需是執(zhí)行CGMP操作同一時(shí)間（Data Integrity – ALCOA中 Contemporaneous同時(shí)性要求）；所以PLC Transient 短暫Data不是，而SCADA中Saved Data 在是CGMP電子數(shù)據(jù)（21 CFR 211.100（b））。

2. SCADA上存儲(chǔ)的CGMP電子數(shù)據(jù)完整性需要帶時(shí)間戳的審計(jì)追蹤，數(shù)據(jù)管理，報(bào)警管理，記錄歸檔與恢復(fù)等數(shù)據(jù)管控措施（ EU Annex 11 ）。 

3. PLC和HMI上的臨時(shí)短暫數(shù)據(jù)完整性則基于IT基礎(chǔ)設(shè)施確認(rèn)（GAMP5：IT Infrastructure qualification）,設(shè)備校驗(yàn)，I/O準(zhǔn)確性測(cè)試（EU Annex 15）.  

建議的措施

純?cè)O(shè)備or外加自控PLC

1.啟用前設(shè)備確認(rèn)，生產(chǎn)中參數(shù)有記錄，任何修改有流程控制

2.周期性校驗(yàn)傳感器和參數(shù)設(shè)置

3.Time Stamp - 生產(chǎn)區(qū)設(shè)置時(shí)鐘，定期校驗(yàn)，操作員寫批次記錄時(shí)實(shí)時(shí)記錄

設(shè)備+PLC+HMI（最終數(shù)據(jù)存儲(chǔ)）

1.HMI 數(shù)據(jù)為CGMP E-data；需計(jì)算機(jī)化系統(tǒng)驗(yàn)證 功能包括如用戶管理，權(quán)限隔離，帶時(shí)間戳的審計(jì)追蹤，數(shù)據(jù)管理，產(chǎn)生報(bào)告，報(bào)警管理，記錄歸檔與恢復(fù)等

2.如果受限于性能，上述審計(jì)追蹤，數(shù)據(jù)備份，權(quán)限功能實(shí)現(xiàn)不了，臨時(shí)措施可以以流程控制-操作日志本+紙質(zhì)報(bào)告+簽字，長(zhǎng)期來看，對(duì)重要設(shè)備需要做CSV技術(shù)升級(jí)改造（MES or SCADA）。

設(shè)備+PLC+HMI（單機(jī)）+SCADA（集成）

SCADA數(shù)據(jù)為CGMP E-data；需計(jì)算機(jī)化系統(tǒng)驗(yàn)證 功能包括如用戶管理，權(quán)限隔離，帶時(shí)間戳的審計(jì)追蹤，數(shù)據(jù)管理，產(chǎn)生報(bào)告，報(bào)警管理，記錄歸檔與恢復(fù)等

免責(zé)聲明：上述內(nèi)容僅供交流學(xué)習(xí)使用，對(duì)文中陳述、觀點(diǎn)判斷保持中立，不對(duì)所包含內(nèi)容的準(zhǔn)確性、可靠性或完整性提供任何明示或暗示的保證。僅作參考，并請(qǐng)各位自行承擔(dān)全部責(zé)任。版權(quán)歸原作者所有，如遇版權(quán)問題請(qǐng)聯(lián)系小編刪除。