While cybersecurity attacks are often discussed in the mainstream, the risks extend far beyond IT systems and consumer-based devices. Factory Floor Risks – All too real for manufacturers and producers of pharmaceuticals, medical devices, and more.
Today’s factory floors include production equipment that is directly connected to these IT systems. This “operational technology” (OT) is critical for pharmaceutical and R&D organizations. As the number of OT systems increases and the risk and impact of cyber incidents become more prevalent, ensuring the security, integrity, and reliability of the OT environment becomes critical.
Organizations face the dilemma of how to address and secure their OT environment, namely which solutions, people capabilities, standards and processes to buy, build or adopt to support the security capabilities and maturity of the operating environment. Which solutions should be deployed? What standards or controls should be applied to establish and maintain security capabilities?
Why is it important to adopt industry standards?
OT used in a production environment does not only include technology including Industrial Automation Control Systems (IACS). It includes the people and work processes required to ensure the safety, integrity, reliability and safety of the control system. IACS may be more vulnerable to cyber-attacks without adequate training, risk-appropriate techniques, countermeasures, and workflows throughout the security lifecycle.
The adoption of security standards and an OT security operating model that may complement the standards will result in a solid foundation and framework to ensure:
- Clear responsibilities, including asset owners and their suppliers (internal IT, external service providers and equipment suppliers),
- Standards used in solution design (including vendors) to ensure embedded security features,
- Metrics to measure standards compliance and security capabilities,
- Finally achieve a measurable level of maturity and demonstrate a reduced risk profile in the environment.
Which standards are used?
Many organizations may simply be trying to adopt IT standards, such as those developed in the ITIL framework. In a broader operational sense, these may serve the purpose well; however, when you examine the differences in security standards and requirements, IACS has specific risks that differ from traditional IT, including endangering public or employee health and safety, Damage to the environment and damage to controlled equipment. Therefore, it makes sense to adopt a set of industry design standards for the life cycle of IACS security (procurement, design, build, operate, etc.). IEC/ISA 62443 is a globally recognized industry standard designed specifically for IACS by ISA99 (International Society of Automation) and IEC (International Electrotechnical Commission).
How are standards applied in a pharmaceutical production environment?
Once the criteria have been chosen, the next challenge is to understand how and when to apply them. Often, the biggest problem facing companies is knowing when to start adopting these standards and whether they should be applied retrospectively. Both of these issues have implications for cost, personnel and operational planning. One possible approach is to start building capabilities internally and ensure that external service providers and suppliers do the same. At the same time, the company can be sure that all new or upgraded systems in the future will meet the standard. Additionally, it may be appropriate to adopt certain standards first, such as areas and pipelines in IEC/ISA 66443, which in turn require inventory discovery and risk assessment so that organizations can focus first on their critical systems (value streams/business revenue and reputation-driven).
In the biopharmaceutical business, for example, certain systems on the shop floor become more critical in the event of a cyberattack. If vaccine bioreactor production lines are actually part of the same value stream as filling and packaging lines, then these two areas may be affected differently by cyber attacks. Loss of bioreactors can result in huge costs for damaged batches. Alternatively, an attack on bottling and packaging lines, while painful from a supply perspective, is unlikely to have the same magnitude of impact on revenue. Therefore, different circuits will be defined within the zones, and network traffic will be restricted to the appropriate types between zones through pipes.
The cost of proving standards and the implementation of new technologies and solutions will always be a challenge, as often the field can be considered core or foundational. As companies look to new digital ambitions, it is important to consider the role of risk mitigation and the underlying cost of building the right capabilities and controls to meet long-term production needs. Can you afford to wait when weighing the risks and costs of a cyber attack? What if your investment is well below the cleanup cost of a potential cyber attack and safe? Maybe consider Merck and $1.4 billion in recovery costs?
in conclusion
There are many solutions in an OT security program that span people, processes, and technology. Ideally, adopting a robust set of standards up front is essential to ensure accountability, security capability and maturity are established. IEC/ISA 62443 brings an industry standard framework built and maintained specifically for the needs of IACS. When leveraged in OT’s lifecycle, implementing industry standards can provide greater clarity on the responsibilities and expectations of asset owners, suppliers, and third parties throughout the design phase and into operation. It’s worth remembering that standards require complementary capabilities of people and processes to ensure continued value and security capabilities, in line with an organization’s risk appetite.
Photo: Half Point, Getty Images
