How to improve operational technology security and safety in LS

Statistics from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) show that in just two years, global OT incidents in the health care and life science sectors increased from 0% to 6%.¹

From the perspective of the organizational units responsible for cybersecurity in life science organizations, OT has been somewhat off the radar. OT systems were treated as an integral part of production machinery rather than computerized information systems, so the ultimate responsibility of its operations, regardless of the cause of potential failure, was assigned to manufacturing maintenance teams. In some examples, only the “technology” aspect was taken into consideration (e.g., protection tools); however, the “people aspects” often seem to be the bigger issue in OT security implementation.

Features of current OT environments that make them difficult to secure:

1. Sophistication

Manufacturing and lab equipment vendors in the life sciences sector utilize a great variety of OT technologies and applications. In addition, individual manufacturing facilities have had more autonomy over their choice of systems or facilities, and very different systems have been acquired through mergers and acquisitions.

This creates a challenge in defining and implementing coherent security policies across production plants. System-dedicated networks, multiple domains and dedicated supporting systems (e.g., engineering tools and backup solutions) require more resources to achieve a maturity level comparable with IT. The complexity in monitoring and maintaining security levels is also greatly increased.

2. New legacy systems

As OT system vendors prefer proven, reliable technologies, at the point of implementation, some OT systems are already merely supporting obsolete, insecure operating systems. The security aspect alone is rarely a driver to replace a vendor who is offering the most effective manufacturing equipment. On the other hand, OT system vendors do not feel obliged to increase the security capabilities of their systems — the technical specifications released by life sciences organizations at the system acquisition stage rarely include any security requirements at all.

3. GxP aspect

GxP requirements (a set of practice quality guidelines and regulations used in the pharmaceutical industry) cover a significant number of basic security requirements (e.g., those related to access control). However, these are focused on only one of three pillars of security — the integrity of generated and processed information.

Enabling high availability of OT systems and maintaining the confidentiality of some sensitive information processes by those systems require additional security controls. Implementation of an OT security management system requires the alignment of new OT security processes with existing GxP processes — which adds another level of complexity in comparison with other industrial sectors.

4. IoT revolution and security impact (industrial IoT)

The Industry 4.0 revolution is having a great impact on pharmaceutical manufacturing environments. It offers significant opportunities for improving production effectiveness, particularly with regard to continual, online information about manufacturing processes and equipment. However, the utilization of new IoT technologies also impacts security. New protocols (including wireless) or mesh network architectures increase the number of potential access points to the network and require a different approach to security.

5. Medical devices

More and more incidents related to unprotected medical devices have resulted in the creation of the first security guidelines. For example, in December 2016, the U.S. Food and Drug Administration (FDA) issued Postmarket Management of Cybersecurity in Medical Devices,² which gives high-level security recommendations.

But this is just the tip of the iceberg. In reality, there were no good practices and formal regulations for manufacturers on how to provide even minimal security protection on medical devices. As a result, hospitals (and even patients who may have technology fitted in their bodies) are full of vulnerable equipment that has become easier to target — with the potential for direct impact on human lives. Publication of these breaches, and even vulnerabilities, can have a significant impact on company stock prices, with a 2016 example showing a 5% drop in share price following disclosure of vulnerabilities in pacemakers.³

Conclusion

The maturity of manufacturing in the life sciences sector is lagging behind other sectors, such as power and utilities or oil and gas, in looking after critical infrastructure.

The advantage of this for life sciences companies is that they can leverage experience from more mature sectors and have access to many new vendors and tools in the market providing technologies to help mitigate some of the key risks. But the challenge all sectors are facing is the lack of OT security specialists available in the talent pool. Internally, because this issue cuts across manufacturing and IT, the major roadblock is typically obtaining alignment on the organizational reporting lines, responsibilities and, critically, who pays for it.

As the risks continue to expand and regulations start to come into place, the time window for competitive advantage through better OT security is closing. To seize the opportunity for rapid improvements, it is critical that OT security initiatives are initiated with the strongest possible executive sponsorship.