OR WAIT null SECS
Jennifer Markarian is manufacturing editor of Pharmaceutical Technology.
Everyone from IT departments through to manufacturing line personnel should be aware of cybersecurity threats and how to prevent attacks.
Cyber attacks on major companies in June 2017, including US-based pharma company Merck & Co. (1), have highlighted the importance of cybersecurity for every part of a company, including manufacturing. Interconnected operations and manufacturing execution systems, while beneficial, do create more connections that could be compromised, noted Mark Cristiano, Network and Security Services business development manager at Rockwell Automation (2).
A “defense in depth” security approach, as recommended in the International Electrotechnical Commission (IEC) 62443 standard series, uses multiple layers of protection including policies and procedures as well as protection of networks and devices using tools such as anomaly-detection software and authentication software (3).
“No single security product, technology, or methodology can be expected to contain cyber threats on its own. Rather, a holistic security approach should be the priority, following industrial automation and control system (IACS) security standards, including IEC 62443 and [National Institute of Standards and Technology] NIST 800-82” (4), says Gregory Wilcox, Global Technology business development manager at Rockwell Automation.
Information technology (IT) and operations technology (OT) engineers should work together to build layers of defense, using diverse technologies, at multiple levels of the IACS, says Wilcox. “Neither side can effectively defend against cyber threats on their own. Protecting operations should include limiting physical access, hardening devices and computers, persistent monitoring through traffic inspection (i.e., detect), and segmenting (i.e., zoning) the IACS network via industrial firewalls (i.e., conduits) and virtual local area networks.”
Assessing risk and understanding your company’s vulnerabilities, including having an updated inventory of systems, networks, and dataflows is a first step, notes Martin Kunz, product and business development manager, Plant Security Services, at Siemens. Raising awareness of cybersecurity throughout the company is also key. “Criminals look for targets, and many attacks start with a human error that lets something in,” says Kunz. He notes that training programs that give examples of possible scenarios are simple yet effective in raising awareness and empowering personnel. Controlling access, using security technology, and being prepared to respond to an incident are other important aspects of cybersecurity. Security is not a one-time action, notes Kunz; monitoring is a continuous measure. Siemens now has three Cyber Security Operation Centers (in the United States, Portugal, and China), which are part of the company’s Plant Security Services for continuous surveillance of industrial facilities. If this monitoring detects cyber threats, experts issue a warning and coordinate countermeasures. These services are suited for process control systems used in the pharma industry, such as Siemens Simatic PCS7 or similar environments, says Kunz.
“Threat awareness is everyone’s job,” says management and technology consulting and engineering services firm Booz Allen Hamilton (5), which suggests that security should be part of everyone’s work practices. The firm suggests that another key component is using privileged account management to make “superuser” or administrator accounts more secure.
“The requirement to enable remote access and data sharing between OT and IT networks is now paramount,” adds Shmulik Aran, business leader for Honeywell's Security Operations Center. “While in the past, ‘security through obscurity’ was the norm, these days, pharma cyber security teams and manufacturing engineers … must cover the basics first. A secure remote access platform is essential.”
Having an automated inventory of network assets is crucial for managing all connected devices and determining whether they are secure. “Pharma engineers should be aware of the existence, status, and compliance of every network connected device,” says Aran. “Malicious actors need only a single-entry point into the OT network to attain their goals. Employees shouldn’t be viewed as ‘weak links;’ instead, they should be actively trained and considered as a valued line of defense.”