6 !{ArticleDetails-ReadTime} 31 Aug 2017
Lab technician pharmaceutical plant tanks

How to improve operational technology security and safety in LS

!{LinkedContent-author-by}

Piotr Ciepiela

EY EMEIA Security & Critical Infrastructure Leader, Associate Partner, EY EMEIA Advisory Center

Critical infrastructure security and operational technology leader. Over 14 years of experience managing international, complex OT and IoT security projects. Team and thought leader. Strategy former.

6 !{ArticleDetails-ReadTime} 31 Aug 2017

!{ResourceList-Close}

The expansion of connectivity and the use of legacy operating systems have created serious vulnerabilities in life sciences. 

During the last couple of years, the number of cyber attacks on production and manufacturing environments has grown. In particular, shop floor systems, including distributed control systems (DCSs) and supervisory control and data acquisition (SCADA) systems, have become primary targets for attacks.

Many life science organizations have introduced new technology to drive improvements such as production and supply chain efficiency and asset management. This has led to closer and more open integration between IT and shop floor systems — but the increasing connectivity of previously isolated manufacturing systems, together with a reliance on remote support services for operational maintenance, has introduced new vulnerabilities for cyber attack. Not only is the number of attacks growing, but so is their sophistication.

As operational technology (OT) security becomes a widely discussed topic, the awareness of OT operators is rising, but so is the knowledge and understanding of OT-specific problems and vulnerabilities in the hacker community.

OT environments have very different security requirements, priorities and operational conditions compared with typical corporate IT networks and systems — they are focused on ensuring product quality and the continuity of manufacturing processes. OT system vendors are more eager to utilize proven, reliable technologies than emerging ones, even if they promise improved efficiency, more functionality or scalability; for example, using Windows XP or some older Linux distributions instead of current, patched operating system releases such as Windows 10, or using old, unencrypted Modbus serial protocols.

As OT security becomes a widely discussed topic, the awareness of OT operators is rising, but so is the knowledge and understanding of OT-specific problems and vulnerabilities in the hacker community.

Statistics from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) show that in just two years, global OT incidents in the health care and life science sectors increased from 0% to 6%.1

From the perspective of the organizational units responsible for cybersecurity in life science organizations, OT has been somewhat off the radar. OT systems were treated as an integral part of production machinery rather than computerized information systems, so the ultimate responsibility of its operations, regardless of the cause of potential failure, was assigned to manufacturing maintenance teams. In some examples, only the “technology” aspect was taken into consideration (e.g., protection tools); however, the “people aspects” often seem to be the bigger issue in OT security implementation.

The security aspect alone is very rarely a driver to replace a vendor who is offering the most effective manufacturing equipment.

Features of current OT environments that make them difficult to secure:

1. Sophistication

Manufacturing and lab equipment vendors in the life sciences sector utilize a great variety of OT technologies and applications. In addition, individual manufacturing facilities have had more autonomy over their choice of systems or facilities, and very different systems have been acquired through mergers and acquisitions.

This creates a challenge in defining and implementing coherent security policies across production plants. System-dedicated networks, multiple domains and dedicated supporting systems (e.g., engineering tools and backup solutions) require more resources to achieve a maturity level comparable with IT. The complexity in monitoring and maintaining security levels is also greatly increased.

2. New legacy systems

As OT system vendors prefer proven, reliable technologies, at the point of implementation, some OT systems are already merely supporting obsolete, insecure operating systems. The security aspect alone is rarely a driver to replace a vendor who is offering the most effective manufacturing equipment. On the other hand, OT system vendors do not feel obliged to increase the security capabilities of their systems — the technical specifications released by life sciences organizations at the system acquisition stage rarely include any security requirements at all.

As the risks continue to expand and regulations start to come into place, the time window for competitive advantage through better OT security is closing.

3. GxP aspect

GxP requirements (a set of practice quality guidelines and regulations used in the pharmaceutical industry) cover a significant number of basic security requirements (e.g., those related to access control). However, these are focused on only one of three pillars of security — the integrity of generated and processed information.

Enabling high availability of OT systems and maintaining the confidentiality of some sensitive information processes by those systems require additional security controls. Implementation of an OT security management system requires the alignment of new OT security processes with existing GxP processes — which adds another level of complexity in comparison with other industrial sectors.

4. IoT revolution and security impact (industrial IoT)

The Industry 4.0 revolution is having a great impact on pharmaceutical manufacturing environments. It offers significant opportunities for improving production effectiveness, particularly with regard to continual, online information about manufacturing processes and equipment. However, the utilization of new IoT technologies also impacts security. New protocols (including wireless) or mesh network architectures increase the number of potential access points to the network and require a different approach to security.

5. Medical devices

More and more incidents related to unprotected medical devices have resulted in the creation of the first security guidelines. For example, in December 2016, the U.S. Food and Drug Administration (FDA) issued Postmarket Management of Cybersecurity in Medical Devices,2 which gives high-level security recommendations.

But this is just the tip of the iceberg. In reality, there were no good practices and formal regulations for manufacturers on how to provide even minimal security protection on medical devices. As a result, hospitals (and even patients who may have technology fitted in their bodies) are full of vulnerable equipment that has become easier to target — with the potential for direct impact on human lives. Publication of these breaches, and even vulnerabilities, can have a significant impact on company stock prices, with a 2016 example showing a 5% drop in share price following disclosure of vulnerabilities in pacemakers.3

Conclusion

The maturity of manufacturing in the life sciences sector is lagging behind other sectors, such as power and utilities or oil and gas, in looking after critical infrastructure.

The advantage of this for life sciences companies is that they can leverage experience from more mature sectors and have access to many new vendors and tools in the market providing technologies to help mitigate some of the key risks. But the challenge all sectors are facing is the lack of OT security specialists available in the talent pool. Internally, because this issue cuts across manufacturing and IT, the major roadblock is typically obtaining alignment on the organizational reporting lines, responsibilities and, critically, who pays for it.

As the risks continue to expand and regulations start to come into place, the time window for competitive advantage through better OT security is closing. To seize the opportunity for rapid improvements, it is critical that OT security initiatives are initiated with the strongest possible executive sponsorship.

!{ArticleSummary-Heading}

Security vulnerabilities of life sciences companies' operational technology (OT) have increased, and the number of cyber attacks has risen. Organizations must seek strong executive support for rapid improvements.

!{AboutThisArticle-Heading}

!{LinkedContent-author-by}

Piotr Ciepiela

EY EMEIA Security & Critical Infrastructure Leader, Associate Partner, EY EMEIA Advisory Center

Critical infrastructure security and operational technology leader. Over 14 years of experience managing international, complex OT and IoT security projects. Team and thought leader. Strategy former.