Secure data transfer between ICS and IT zones
Overview
A significant entity in the pharmaceutical sector had recently concluded an extensive infrastructure transformation programme, substantially aligning with the IEC 62443 standard, an initiative aimed at consolidating OT cybersecurity. Following this significant change, the new infrastructural scenario unveiled fresh challenges regarding cross-zone data transfer, as well as data exchange towards the private cloud (level 5) and externally (vendors, clients, distributors). An aspect often underestimated during transformations of this kind, and one which architects only address post-implementation completion.
This new aspect proved particularly challenging due to its direct impact on vendors’ ability to input external data, especially critical ones like software update packages and anti-malware securities. Similarly, the reverse transit of diagnostic data to specialists had become notably complex.
MAASI was engaged to design the appropriate solution to enable data interchange while rigorously adhering to standards and security.
Table of Contents
Solution
Our team of experts evaluated market offerings to construct a robust and secure transfer system. Upon identifying the optimal solution, its design, development of associated procedures, and personnel training were meticulously handled.
The final layout envisaged the implementation of a solid ISA99-compliant system tailored to the client’s needs and intended use.
Achievement
-
Simplification:
The architectural and procedural constraints introduced by the IEC62443 standard were simplified and made immediate, streamlining manual data transfer operations while retaining all necessary security requirements. -
Real Security:
The designed solution led to the consolidation of shared folder usage, genuinely and definitively securing data transfer, and isolating IT (levels 4 and 5) and OT (3.5, 3, 2) layers. -
Standard Evolution:
Thanks to the structure's peculiarities, extending the framework beyond level 4 effortlessly became possible, effectively making the transfer system available across the entire company network, transcending site and geographical boundaries with encrypted tunnels and cross-zone passages via gravity wells.
