While cybersecurity attacks are often discussed in the mainstream, the risks travel well beyond IT systems and consumer-based devices. The risks on a factory floor – are all too real for manufacturers and producers of pharmaceuticals, medical devices and the like.
Today’s factory floors include production equipment that’s linked directly into those IT systems. This “operational technology” (OT) is critical for pharmaceutical manufacturing and R&D organizations. As the volume of OT systems becomes more connected and the risks and implications of a cyber incident become more prevalent, it is essential to ensure the safety, integrity and reliability of the OT environment.
Health Benefit Consultants, Share Your Expert Insights in Our Survey
John Allen John Allen is a strategic leader with 23 years at GSK predominantly in Manufacturing IT, as well as leading the OT Cybersecurity transformation program as VP in the CISO leadership team. John now works freelance bringing strategic consulting in Manufacturing IT (and applications), M&A, Digital and OT Cybersecurity in the Pharma domain.
Organizations are faced with a dilemma of how to react and protect their OT environment, which solutions, people capabilities, standards and process to buy, build or adopt to underpin the security capabilities and maturity of the operating environment. What solutions should be deployed? What standards or controls should be applied to build and sustain security capability?
Why is it important to adopt industry standards?
The OT used in a production environment includes more than the technology that comprises an industrial automation control system (IACS). It includes the people and work processes needed to ensure the safety, integrity, reliability, and security of the control system. Without people who are sufficiently trained, risk-appropriate technologies, countermeasures, and work processes throughout the security lifecycle, an IACS could be more vulnerable to cyberattack.
Adopting security standards and potentially an OT security operating model that compliments the standards will bring a solid foundation and framework to ensure:
- clear accountabilities including the asset owner and their suppliers (internal IT, external service providers and equipment vendors),
- standards to be leveraged in solutions design (including vendors) to ensure security capabilities are embedded,
- metrics for measuring conformance to standards and security capability,
- and ultimately a level of maturity that can be measured and demonstrate a reduced risk position in the environment.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Which standards to adopt?
Many organizations may simply try to adopt IT standards, such as those developed in an ITIL framework. These may well serve the purpose in the broader operating sense; however, when you examine the differences in security standards and requirements, IACS have specific risks that differ from traditional IT, including endangerment of public or employee health and safety, damage to the environment and damage to the equipment under control. As such, adopting a set of industry designed standards for the lifecycle of IACS security (procure, design, build, operate, etc.) makes good sense. IEC/ISA 62443 is a globally recognized industry standard that was designed specifically for IACS by ISA99 (International Society of Automation) and IEC (International Electrotechnical Commission).
How to apply standards within a pharma manufacturing environment?
Once the standards have been selected, the next challenge is understanding how and when to apply them. Often the biggest question companies have is in understanding when to start adopting the standards and whether they should apply them retroactively. Both questions have implications on costs, people and operating schedules. One potential approach is to start building capability internally and ensuring external service providers and vendors are doing the same. At the same time, companies can determine that, going forward, all new or upgraded systems will comply with the standards. Additionally, it may be appropriate to adopt certain standards first, such as Zones and Conduits in IEC/ISA 66443, which in turn would require inventory discovery and risk assessment to be undertaken so that an organisation can focus first on their critical systems (value streams / business revenue and reputation driven).
By example, in a biopharma operation, on the shop floor there will be systems that would be more critical in the event of a cyberattack. In a case where a vaccine bioreactor production line is effectively part of the same value stream as the fill and pack line, the two areas could be impacted differently by a cyberattack. The loss of a bioreactor could result in a significant cost in terms of a spoiled batch. Alternatively, an attack on the fill and pack line, while painful from a supply perspective, would be less likely to have the same magnitude of impact on revenue. As such, the different lines would be defined in zones, and network traffic limited to appropriate types between the zones via conduits.
Justifying the cost of standards and implementation of new technology and solutions will always be a challenge as typically this area can be considered core or foundational. As companies look ahead to new digital ambitions, it will be important to consider the role of risk mitigation and underpinning cost of building the right capabilities and controls to meet long-term production demands. When weighing the risks and costs of a cyberattack, can you afford to wait? What if you could invest a lot less than the clean-up costs of a potential cyberattack and be safe? Perhaps consider Merck and the $1.4bn recovery cost?
Conclusion
There are many solutions in an OT security program that span across people, process and technology. Adopting a robust set of standards ideally, up front, is essential to ensure that accountabilities are clear, and security capability and maturity is built. IEC/ISA 62443 brings an industry framework of standards, specifically built and maintained with the needs of the IACS. When leveraged in the lifecycle of OT, implementing an industry standard can bring clarity across asset owners, suppliers and third parties as to accountabilities and expectation throughout the design phase and into operation. It’s well worth remembering that standards require a complimentary capability of people and process to ensure continuous value and security capability is maintained, in line with an organization’s risk appetite.
Photo: Halfpoint, Getty Images
John Allen is a strategic leader with 23 years at GSK predominantly in Manufacturing IT, as well as leading the OT Cybersecurity transformation program as VP in the CISO leadership team. John now works freelance bringing strategic consulting in Manufacturing IT (and applications), M&A, Digital and OT Cybersecurity in the Pharma domain.
