Enabling Secure Environments for Pharmaceutical Manufacturing Organizations.
Contents Overview and Outlook ……………………………………………..……. 3 Document Scope and Intended Audience ……………………… 3 Key Considerations ……………………………………………………..…. 4 Core Concepts ……………………………………………………………….. 4 Securing Standalone Systems ……………………………………..…. 5 Documenting ICS-specific Process & Procedures ……….. 6 Security Awareness Training ……………………………………... 6 Periodic Security Testing/Audit ……………………………..….. 6 Configuration Change Management ………………...………. 7 Risk Assessment ……………………………………………………….. 7
Comprehensive and Real-time Security Management ……. 8 Intrusion and Insider Threat Detection ……………………... 8 SIEM and Threat Intelligence …………………………………….. 9
Overview and Outlook The pharmaceutical industry that we see today has information flow and research as its lifeblood. Producing billions of dollars in sales every year, the industry is finding ways to enable robust growth in the light of increasing dependence on computing systems to control, automate and monitor chemical plant machinery. Industrial Security Experts have noted that there has been a 600% increase in control system vulnerability disclosures in the past couple of years.
The pharmaceutical and life sciences industry is among the most heavily regulated in the world. A breach in the purview of plant security typically leads to a devastating impact on trust and reliability and amounts to violation of patient health and safety norms. In recent times, several different ‘organized’ cybercrime groups have been found responsible for a number of highlevel breaches. Animal Rights ‘Hacktivism’, Corporate Espionage and International Terrorism are the most common intents. In 2015, nearly two-thirds of US pharma companies have fallen prey to severe data breach attacks while a quarter of them have suffered a hacking incident[1]. In India, biopharma remains one of the most targeted industries with critical infrastructure. In keeping up with the evolving threat landscape, regulatory authorities are urging drug manufacturers, biotechnology, and medical technology companies to confront their critical asset protection needs and operational security imperatives. The fundamental step in this direction is the awareness of the attack points they must protect and the controls needed to protect them.
Document Scope and Intended Audience This paper details the threats, challenges in securing and protecting critical infrastructure in pharma manufacturing companies and medical research facilities, and the strategies that can help in enforcing comprehensive plant security for the facility. Security threats to standalone systems and procedural countermeasures have been highlighted.
The document will be useful for plant owners, commissioning executives and security implementation teams in planning and reviewing their security management goals, practices and
[1] 2015 survey by Crown Records Management
Key Considerations Plant security practitioners must prepare to address challenges that are different from those that traditional IT faces. The attack surface is ridden with complexities in the form of proprietary operating systems, hybrid technology and legacy systems. Traditional off-the-shelf prevention tools are unsuitable for three reasons: it is a real-time system, availability is critical and terminal/interface devices are lightweight with limited computing and memory resources. Besides, the inherently weak authentication mechanisms and privilege management entail a SCADA system-centric implementation of Intrusion Detection. Every industrial control system and logic controllers use a set of protocols for communication which require a holistic review and analysis, especially as developers often use ‘wrappers’ and modules to protect their legacy code for interoperability. This is an unsafe practice since it exposes core components to several risks due to errors that manifest in mission-critical situations. It would be impractical to try to fit a 1980s car model with today’s safety devices and believe that it is as safe as new models. A large number of industrial automation systems are built on foundational technology created in the 80s and 90s. To control these legacy environments from a security perspective, one needs to implement a suite of measures that are optimized based on risks identified for each critical asset.
Core Concepts The process control infrastructure must be protected from both intentional and unintentional threats. Measure must be in place to ensure protection of data from tampering or destruction. In an ICS environment the availability of control systems, safety of human life and the integrity of the data that is processed is of paramount importance.
Essentials to guard Access: rights, privileges and controls to protect assets from unpermitted access or loss. Authentication: establish password and authentication policy. Accountability: responsibilities of users, operations staff and management. Availability: ensure that baselines for resource availability, redundancy and recovery are achieved. Confidentiality: protect proprietary and sensitive data and information from entities who have neither right nor need for access. Timeliness: responsiveness of the system and timeliness of any related data being 7 delivered in its designated time period
Securing Standalone Systems In chemical plants, a systemic hardening exercise is necessary to prevent control of critical equipment falling into the wrong hands. Compromising a manufacturing system through physical access is undoubtedly the most direct and simple way a threat actor can cause disruption. Access Management must be approached from three different perspectives: • Platform Configuration Testing • Hardware Access Control Policy Review • Software Vulnerability Management Platform Vulnerabilities OS and Software Patch Management – Since alterations to vendor software must be subject to time-consuming regression testing and distribution, timely patching greatly reduces the window of vulnerability. Default configuration flaws leading to insecure functionality and exploitable services/applications need to be identified. Inadequate Password Policies, Disclosure and Guessing are mitigated. Hardware Protection & Physical Infrastructure Access Policy Protection of facilities, equipment, rooms and information assets needs a well-planned perimeter along with a flexible and reliable access control system. Review of Security Architecture and Design – An assessment of available security features and their optimization are rudimentary. The readiness and adequacy of equipment implementation guidelines and the accountability of security enforcement teams are appraised. Role-based Access Limiting - The aptness of access policies must be assessed with a view to identify improper/inadequate rules and validate whether the mechanisms used are effective in verifying the identity of the person requesting access. A combination of detection and monitoring systems can be used to validate whether rolebased access is prudently administered. Access Monitoring Systems some of which can be compromised with quite a level of ease, have to be examined periodically to ensure that they function as expected. IAM Server logs have to be monitored regularly. Unsecured Physical Ports - USB ports and PS/2 ports could allow unauthorized thumb drives, keyloggers, etc. Rules and signatures on Antivirus and Malware protection tools must be automatically updated. Physical Access to Monitoring Systems - These systems must be protected from unauthorized malicious actions such as altering or destruction of ACLs and databases or unplugging of data links.
Portable Devices - sensitive data stored on Laptops and PDAs need to be protected from theft or misuse. Software/Application Vulnerability Management Vendor software installed on the control system can have a myriad of security vulnerabilities based on default or improper configuration. Using static and dynamic modes of analyses, the application is tested against cyber attacks targeting bypass of authentication.
Documenting ICS-specific Process & Procedures In the context of standalone systems, issues can include use of insecure ICS protocols, buffer overflows, attacks on availability of access limiting mechanisms, proprietary software bugs, and unneeded services. A detailed Security Policy is required to govern the security of the control process, deployment of technology and handling of critical data or assets. Policies aim to ensure that protection tactics are both consistent and up-to-date for resistance against evolving threats. It is important to set forth the objectives and goals for the security program. Security practitioners describe the ‘what’ and ‘how’, establish the planned activities and prescribed controls.
Asking questions such as help in covering pivotal areas: • How security patches will be maintained. • How new patches will be tested before deployment. • What mechanisms will be in place for protecting portable devices in the facility. • How systems will be restored to prevent data loss and availability. Security Procedures support the implementation of policies and must be documented, tested and updated in line with policy and technology changes.
Security Awareness Training All personnel directly involved in routine plant operations, including perimeter security staff, commissioning and deployment teams, IT support executives and those responsible for plant operation must be made aware of security policies, procedures, principles and practices to ensure all-round participation in achieving and maintaining the optimum level of security. Security Awareness must be made a mandatory requirement in employee training programs and all updates to roles, responsibilities and duties are to be intimated to all individuals.
Periodic Security Testing/Audit Hardware, Software, Interfaces and Access Gateways in the plant facility are subject to periodic security reviews by independent authorities. These reviews incorporate vulnerability discovery, assessment and exploitability or
Penetration testing to ascertain the impact of a potential breach and identify the most efficient mitigation techniques. Progressive testing applies the attacker’s perspective with transmuting intents and motives over a course of time to ensure that the system remains immune to common threats as well as the latest, more prevalent attack vectors. Standardization Agencies like NIST provide guidelines for Accountability with regard to generating records, their content, capacity, retention and non-repudiation. Physical attack scenarios could be simulated to understand the possibilities of compromise by negligent and malicious insiders. ICS Systems are audited to test the adequacy of controls and ensure that they are being operated in conformity with established policies and directives as well as various regulatory requirements, such as the Current Good Manufacturing Practices of the FDA. The ultimate goal of appraising the security posture of ICS systems is to enable continuous situational awareness for the management personnel in order to prepare and plan for system availability.
Configuration Change Management Comprehensive and categorical documentation of changes, updates and integrations applied to software, firmware and hardware is maintained throughout the project. The document is considered a useful tool for forensics and auditing. Adequate testing of security changes must be carried out to the extent possible before recording such changes.
Risk Assessment Achieving a risk-appropriate security level must be the topmost goal for infrastructure protection. A rigorous and deep-dive risk assessment is designed to take into account the factors that are critical for continuity of process. In an environment that warrants a multi-level hierarchical access policy, it is important to identify high-profile targets and where they lie in the attack impact radar. A closed network of HMIs communicating with PLCs and other field devices are often networked to database servers and development units. These systems can introduce threats to data confidentiality and integrity.
Threat Model Systematical Identification and Mapping of Threats based on: - Selection of technologies, architecture and tools. - Project configuration and programming techniques - Deployment and Commissioning - Operation and Maintenance
Risk Assessment is carried out to understand the process, dependencies and potential risk factors associated with the different components of ICS systems. Vulnerability Scanning as an integral part of security monitoring can help in finetuning and simplifying measures to secure. It is performed to appraise operational technology for firmware weaknesses, backdoors, insecure coding and lack of apposite mitigation technologies. Risks are analyzed based on influencing factors like systems architecture, complexity and probability of attacks, consequences, etc. When a security incident occurs, a rapid risk assessment is performed to gauge the impact and determine the tools needed to respond and eradicate. Disaster Recovery Plans are also prepared and tested to prevent downtimes.
Comprehensive and Real-time Security Management In the Industrial Control System environment, detecting and tracking malicious changes to a plant’s process control deems top priority. Achieving this level of maturity in defense is practically impossible without a systemic risk appraisal and threat analysis. The Control System Architecture is commonly planned with air-gapping in mind.
Intrusion and Insider Threat Detection Continuous granular visibility of host systems and master terminal units accessing sensitive data and communicating with field devices is made effective through alignment with appropriate access rights and expected access patterns. An Intrusion Detection System with Host-centric pervasiveness and integration with an SIEM component can generate detailed views of the following: • Network Packet Capture and Session Monitoring • User-centric Access Log Management • East-West Traffic and NetFlow Analysis • File Access Patterns and Integrity Changes • Algorithms and Heuristics • Endpoint Activity and Forensics Process Control and Automation Systems are monitored using the Host Intrusion Detection Component that tracks modifications to Windows-based Registry Entries, File Systems and Directories. Common events captured include: • Rootkit Installations and Malware Delivery (e.g. USB Thief) • Termination of Critical Services • Rogue Processes • Unwanted applications
SIEM and Threat Intelligence Security Information and Event Management brings remarkable efficiency and provides an additional layer of threat visibility by gathering versatile log data from gateway filtering tools, antivirus systems and access management mechanisms which are then harmonized for deeper, adjusted insight. A centralized log normalization and event correlation engine combines the Behavioral, Probabilistic and Specificationbased Intrusion information with global threat intelligence data to enable advanced analogies with attack patterns and signatures. Malicious triggers and risky behavior are instantly spotted and alerted. Visualizing anomalies and suspicious activity in their full context can accelerate and streamline incident response.
alephtavtech.com
blogs.alephtavtech.com
Assess. Monitor. Secure.
engage@alephtavtech.com