Although cyber security attacks are often discussed in the mainstream, the risks extend far beyond IT systems and consumer devices. Factory risks are all too real for producers and manufacturers of pharmaceuticals, medical devices and the like.
Today’s factory floors include production equipment that is connected directly to these IT systems. This “operational technology” (OT) is critical to pharmaceutical manufacturing and R&D organizations. As the volume of OT systems becomes increasingly connected and the risks and consequences of a cyber incident become more pervasive, it is essential to ensure the safety, integrity and reliability of the OT environment.
Organizations are faced with the dilemma of how to respond and protect their OT environment, which solutions, people capabilities, standards and processes to purchase, build or adopt to support security capabilities and operational environment maturity. What solutions should be implemented? What standards or controls should be in place to build and maintain security capabilities?
Why is it important to adopt industry standards?
OT used in a manufacturing environment involves more than the technology that includes an industrial automation control system (IACS). It includes the people and work processes necessary to ensure the safety, integrity, reliability and security of the management system. Without people who are sufficiently trained, risk-aware technologies, countermeasures and workflows throughout the security lifecycle, IACS can be more vulnerable to cyber-attacks.
The adoption of security standards and potentially an OT security operational model that complements the standards will bring a solid foundation and framework to ensure:
- clear responsibilities, including the asset owner and their suppliers (internal IT, external service providers and equipment vendors),
- standards to be used in the design of solutions (including vendors) to ensure that security capabilities are built in,
- indicators for measuring compliance with security standards and capabilities,
- and ultimately a level of maturity that can be measured and demonstrates a reduced risk position in the environment.
Which standards should we adopt?
Many organizations may simply try to adopt IT standards such as those developed under ITIL. They can serve the purpose in a broader operational sense; however, when you examine the differences in security standards and requirements, IACS has specific risks that differ from traditional IT, including endangering public health and employee safety, environmental damage, and damage to controlled equipment. As such, adopting a set of industry-designed standards for the IACS security lifecycle (deliver, design, build, operate, etc.) makes good sense. IEC/ISA 62443 is a globally recognized industry standard that was designed specifically for IACS by ISA99 (International Automation Society) and IEC (International Electrotechnical Commission).
How to implement standards in a pharmaceutical manufacturing environment?
Once the standards are chosen, the next challenge is figuring out how and when to implement them. Often the biggest question companies have is figuring out when to start adopting the standards and whether they should apply them retroactively. Both issues have implications for costs, people and operational schedules. One potential approach is to start building capabilities internally and ensure that external service providers and suppliers do the same. At the same time, companies can specify that in the future all new or upgraded systems will comply with the standards. In addition, it may be appropriate to adopt certain standards first, such as areas and conduits in IEC/ISA 66443, which in turn would require stock discovery and risk assessment to be carried out so that an organization can focus first on its critical systems (value streams / driven by business revenue and reputation).
For example, in a biopharmaceutical operation, there will be systems on the shop floor that would be more critical in the event of a cyber attack. In the case where a vaccine bioreactor production line is effectively part of the same value stream as the filling and packaging line, the two areas may be affected differently by a cyber attack. The loss of a bioreactor can result in significant costs in terms of a spoiled batch. Alternatively, an attack on the filling and packaging line, while painful from a supply point of view, is less likely to have the same degree of impact on revenue. As such, the different lines will be zoned, and network traffic will be restricted to appropriate types between zones via pipelines.
Justifying the costs of standards and implementing new technologies and solutions will always be a challenge, as this area can usually be considered core or foundational. As companies look ahead to new digital ambitions, it will be important to consider the role of risk mitigation and the underlying costs of building the right capabilities and controls to meet long-term production requirements. When weighing the risks and costs of a cyberattack, can you afford to wait? What if you could invest far less than the cost of cleaning up a potential cyberattack and be safe? Maybe consider Merck and the $1.4 billion in recovery costs?
Conclusion
There are many solutions in an OT security program that span people, process, and technology. Adopting a robust set of standards, ideally up front, is essential to ensure responsibilities are clear and security capabilities and maturity are built. IEC/ISA 62443 brings an industry framework of standards specifically built and maintained with the needs of IACS in mind. When used in the OT lifecycle, the application of an industry standard can bring clarity among asset owners, suppliers and third parties regarding responsibilities and expectations during the design and operation phase. It’s worth remembering that the standards require additional capabilities from people and processes to ensure continued value and maintain security capability, consistent with the organization’s risk appetite.
Photo: Halfpoint, Getty Images