As OT security becomes a widely discussed topic, the awareness of OT operators is rising, but so is the knowledge and understanding of OT-specific problems and vulnerabilities in the hacker community.

Statistics from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) show that in just two years, global OT incidents in the health care and life science sectors increased from 0% to 6%.1
From the perspective of the organizational units responsible for cybersecurity in life science organizations, OT has been somewhat off the radar. OT systems were treated as an integral part of production machinery rather than computerized information systems, so the ultimate responsibility of its operations, regardless of the cause of potential failure, was assigned to manufacturing maintenance teams. In some examples, only the “technology” aspect was taken into consideration (e.g., protection tools); however, the “people aspects” often seem to be the bigger issue in OT security implementation.
The security aspect alone is very rarely a driver to replace a vendor who is offering the most effective manufacturing equipment.

Features of current OT environments that make them difficult to secure:
1. Sophistication
Manufacturing and lab equipment vendors in the life sciences sector utilize a great variety of OT technologies and applications. In addition, individual manufacturing facilities have had more autonomy over their choice of systems or facilities, and very different systems have been acquired through mergers and acquisitions.
This creates a challenge in defining and implementing coherent security policies across production plants. System-dedicated networks, multiple domains and dedicated supporting systems (e.g., engineering tools and backup solutions) require more resources to achieve a maturity level comparable with IT. The complexity in monitoring and maintaining security levels is also greatly increased.
2. New legacy systems
As OT system vendors prefer proven, reliable technologies, at the point of implementation, some OT systems are already merely supporting obsolete, insecure operating systems. The security aspect alone is rarely a driver to replace a vendor who is offering the most effective manufacturing equipment. On the other hand, OT system vendors do not feel obliged to increase the security capabilities of their systems — the technical specifications released by life sciences organizations at the system acquisition stage rarely include any security requirements at all.
As the risks continue to expand and regulations start to come into place, the time window for competitive advantage through better OT security is closing.
3. GxP aspect
GxP requirements (a set of practice quality guidelines and regulations used in the pharmaceutical industry) cover a significant number of basic security requirements (e.g., those related to access control). However, these are focused on only one of three pillars of security — the integrity of generated and processed information.
Enabling high availability of OT systems and maintaining the confidentiality of some sensitive information processes by those systems require additional security controls. Implementation of an OT security management system requires the alignment of new OT security processes with existing GxP processes — which adds another level of complexity in comparison with other industrial sectors.
4. IoT revolution and security impact (industrial IoT)
The Industry 4.0 revolution is having a great impact on pharmaceutical manufacturing environments. It offers significant opportunities for improving production effectiveness, particularly with regard to continual, online information about manufacturing processes and equipment. However, the utilization of new IoT technologies also impacts security. New protocols (including wireless) or mesh network architectures increase the number of potential access points to the network and require a different approach to security.
5. Medical devices
More and more incidents related to unprotected medical devices have resulted in the creation of the first security guidelines. For example, in December 2016, the U.S. Food and Drug Administration (FDA) issued Postmarket Management of Cybersecurity in Medical Devices,2 which gives high-level security recommendations.
But this is just the tip of the iceberg. In reality, there were no good practices and formal regulations for manufacturers on how to provide even minimal security protection on medical devices. As a result, hospitals (and even patients who may have technology fitted in their bodies) are full of vulnerable equipment that has become easier to target — with the potential for direct impact on human lives. Publication of these breaches, and even vulnerabilities, can have a significant impact on company stock prices, with a 2016 example showing a 5% drop in share price following disclosure of vulnerabilities in pacemakers.3
Conclusion
The maturity of manufacturing in the life sciences sector is lagging behind other sectors, such as power and utilities or oil and gas, in looking after critical infrastructure.
The advantage of this for life sciences companies is that they can leverage experience from more mature sectors and have access to many new vendors and tools in the market providing technologies to help mitigate some of the key risks. But the challenge all sectors are facing is the lack of OT security specialists available in the talent pool. Internally, because this issue cuts across manufacturing and IT, the major roadblock is typically obtaining alignment on the organizational reporting lines, responsibilities and, critically, who pays for it.
As the risks continue to expand and regulations start to come into place, the time window for competitive advantage through better OT security is closing. To seize the opportunity for rapid improvements, it is critical that OT security initiatives are initiated with the strongest possible executive sponsorship.
Summary
Security vulnerabilities of life sciences companies' operational technology (OT) have increased, and the number of cyber attacks has risen. Organizations must seek strong executive support for rapid improvements.