Don’t wait until it’s too late: it’s time to leverage cybersecurity standards for the production environment

0

While cybersecurity attacks are often discussed in the mainstream, the risks go far beyond computer systems and consumer devices. The risks in a factory are all too real for manufacturers and producers of pharmaceuticals, medical devices, etc.

Today’s workshops include production equipment directly linked to these computer systems. This “operational technology” (OT) is essential for pharmaceutical R&D and manufacturing organizations. As the volume of OT systems becomes more connected and the risks and implications of a cyber incident become more pervasive, it is essential to ensure the security, integrity and reliability of the OT environment.

Organizations face the dilemma of how to respond and protect their OT environment, what solutions, human capabilities, standards and processes to buy, build or adopt to underpin security capabilities and the maturity of the operating environment. What solutions to deploy? What standards or controls should be applied to build and maintain security capability?

Why is it important to adopt industry standards?

OT used in a production environment includes more than technology which includes an Industrial Automation Control System (IACS). It includes the people and work processes necessary to ensure the safety, integrity, reliability and security of the control system. Without adequately trained people, risk-adaptive technologies, countermeasures, and work processes throughout the security lifecycle, an IACS could be more vulnerable to cyberattacks.

The adoption of security standards and possibly an OT security operating model that complements the standards will provide a solid foundation and framework to ensure:

  • clear responsibilities, including the owner of the asset and its suppliers (internal IT, external service providers and equipment vendors),
  • standards to leverage in solution design (including vendors) to ensure security capabilities are built in,
  • metrics to measure standards compliance and security capability,
  • and finally a level of maturity that can be measured and demonstrate a reduced risk position in the environment.

Which standards to adopt?

Many organizations may simply try to adopt IT standards, such as those developed within an ITIL framework. These may well serve the purpose in the larger operational sense; However, when you look at the differences between security standards and requirements, IACS presents specific risks that differ from traditional IT, including endangering the health and safety of the public or employees, damage to the environment and damage to equipment under control. As such, adopting an industry-designed set of standards for the IACS security lifecycle (purchase, design, build, operate, etc.) makes sense. IEC/ISA 62443 is a globally recognized industry standard that was designed specifically for IACS by ISA99 (International Society of Automation) and IEC (International Electrotechnical Commission).

How to apply the standards in a pharmaceutical manufacturing environment?

Once the standards have been selected, the next challenge is to understand how and when to apply them. Often the biggest question for companies is when to start adopting the standards and whether to apply them retroactively. Both of these issues have implications for costs, people and operating hours. One potential approach is to start building capacity internally and ensure that service providers and external vendors do the same. At the same time, companies can determine that going forward, all new or upgraded systems will meet the standards. Also, it may be appropriate to adopt certain standards first, such as zones and ducts in IEC/ISA 66443, which in turn would require discovery of an inventory and risk assessment so that an organization can focus on its critical systems first (value stream / focused on revenue and corporate reputation).

For example, in a biopharmaceutical operation, on the shop floor, there will be systems that would be more critical in the event of a cyberattack. In the event that a vaccine bioreactor production line is indeed part of the same value stream as the filling and packaging line, the two areas could be impacted differently by a cyberattack. The loss of a bioreactor could lead to a significant cost in terms of a spoiled batch. Alternatively, an attack on the fill and pack line, while painful from a supply perspective, would be less likely to have the same magnitude of impact on revenue. Thus, the different lines would be defined into zones and the network traffic limited to the appropriate types between the zones via conduits.

Justifying the cost of standards and the implementation of new technologies and solutions will always be a challenge, as this area can generally be considered essential or foundational. As companies consider new digital ambitions, it will be important to consider the role of risk mitigation and the cost base of building the right capabilities and controls to meet long-term production demands. When assessing the risks and costs of a cyberattack, can you afford to wait? What if you could invest far less than the costs of cleaning up a potential cyberattack and still be safe? Think maybe Merck and the $1.4 billion recovery cost?

Conclusion

There are many solutions in an OT security program that span people, process, and technology. Ideally, adopting a strong set of standards from the outset is essential to ensure responsibilities are clear and security capability and maturity are built. IEC/ISA 62443 provides a framework of industry standards, specifically built and maintained with the needs of IACS. When leveraged across the OT lifecycle, implementing an industry standard can bring clarity to asset owners, vendors, and third parties about responsibilities and expectations while throughout the design and operation phase. It should be remembered that the standards require complementary capability of people and processes to ensure continued maintenance of security value and capability, consistent with an organization’s risk appetite.

Photo: Halfpoint, Getty Images

Share.

Comments are closed.