3. GxP aspect
GxP requirements (a set of practice quality guidelines and regulations used in the pharmaceutical industry) cover a significant number of basic security requirements (e.g., those related to access control). However, these are focused on only one of three pillars of security — the integrity of generated and processed information.
Enabling high availability of OT systems and maintaining the confidentiality of some sensitive information processes by those systems require additional security controls. Implementation of an OT security management system requires the alignment of new OT security processes with existing GxP processes — which adds another level of complexity in comparison with other industrial sectors.
4. IoT revolution and security impact (industrial IoT)
The Industry 4.0 revolution is having a great impact on pharmaceutical manufacturing environments. It offers significant opportunities for improving production effectiveness, particularly with regard to continual, online information about manufacturing processes and equipment. However, the utilization of new IoT technologies also impacts security. New protocols (including wireless) or mesh network architectures increase the number of potential access points to the network and require a different approach to security.
5. Medical devices
More and more incidents related to unprotected medical devices have resulted in the creation of the first security guidelines. For example, in December 2016, the U.S. Food and Drug Administration (FDA) issued Postmarket Management of Cybersecurity in Medical Devices,2 which gives high-level security recommendations.
But this is just the tip of the iceberg. In reality, there were no good practices and formal regulations for manufacturers on how to provide even minimal security protection on medical devices. As a result, hospitals (and even patients who may have technology fitted in their bodies) are full of vulnerable equipment that has become easier to target — with the potential for direct impact on human lives. Publication of these breaches, and even vulnerabilities, can have a significant impact on company stock prices, with a 2016 example showing a 5% drop in share price following disclosure of vulnerabilities in pacemakers.3
The maturity of manufacturing in the life sciences sector is lagging behind other sectors, such as power and utilities or oil and gas, in looking after critical infrastructure.
The advantage of this for life sciences companies is that they can leverage experience from more mature sectors and have access to many new vendors and tools in the market providing technologies to help mitigate some of the key risks. But the challenge all sectors are facing is the lack of OT security specialists available in the talent pool. Internally, because this issue cuts across manufacturing and IT, the major roadblock is typically obtaining alignment on the organizational reporting lines, responsibilities and, critically, who pays for it.
As the risks continue to expand and regulations start to come into place, the time window for competitive advantage through better OT security is closing. To seize the opportunity for rapid improvements, it is critical that OT security initiatives are initiated with the strongest possible executive sponsorship.