Pharmaceutical companies are a primary target of cyber attacks. After all, formulas of new drugs are highly valuable.
However, a breach into drug manufacturing systems can easily lead to a wide range of operational disruptions - including production downtime, and can result in inefficient or poisonous drugs, spillage of hazardous materials, and other undesired outcomes.
For the pharmaceutical industry, ensuring product quality is undoubtedly a fundamental concern.
At the heart of pharmaceutical manufacturing facilities lie the Industrial Control Systems (ICS), which manage and automate drug manufacturing processes. They control production quality and ensure that chemicals and other substances are mixed, heated, and cooled in strict accordance with each drug's specification.
Since pharma products are manufactured using complex processes, increasing business value exists in connecting operational and IT systems, which is driving deeper integration between IT and operational networks.
With the efficiencies and cost savings offered by the blurred lines between IT and operational technologies, comes greater risk that external attackers can reach ICS through an IT network breach.
Any incident that compromises ICS - due to a sophisticated cyber attack or innocent human error - can have severe consequences. Months of re-validations may be required before resuming operations, which may result in major financial losses and considerable reputational damage.
To avoid such incidents, and comply with FDA requirements, pharmaceutical manufacturers need better visibility and control into their ICS networks.
External and Internal Security Threats to Pharma Manufacturing Systems
Despite the substantial growth of external cyber attacks against ICS networks, pharmaceutical manufacturers still report that their biggest security concern actually comes from insiders.
Trusted employees, contractors, and integrators who work on these complex, technologically intensive manufacturing processes can cause a wide range of disruptions, unintended outcomes, and significant damage. Malicious insiders have direct access to manufacturing processes and therefore have the ability to sabotage these systems.
<< Watch the short video to learn why pharma companies must protect Industrial Control Systems >>
Another major concern is, of course, human error. Namely, unintentional mistakes. Human error is the leading cause of operational downtime.
Simple errors such as making changes to the wrong PLC, or incomplete maintenance to DCS systems, can cause of a wide range of disruptions and downtime, and result in undesirable products.
FDA Requirements for Drug Manufacturing: Zero Changes to DCS Systems
The Food and Drug Administration (FDA) stipulates that drug products be produced with a high degree of assurance that they contain all of the attributes they are intended to possess. It requires manufacturers maintain processes in a state of control over their entire lifecycle, even as materials, equipment, the production environment, personnel, and manufacturing procedures change.
Given that drug manufacturing processes rely on ICS, these systems cannot undergo any unintended changes. All access to critical assets in these systems must be tracked, including PLCs and DCSs.
However, ICS do not include built-in tools to enable automated tracking of access and changes. As a result, this requirement has been addressed using manual procedures, which are inaccurate and resource intensive.
The Root of the Problem: Lack of Visibility and Control in ICS Networks
Despite operating in a highly regulated environment, ICS networks used in pharma manufacturing lack basic controls required to ensure that FDA requirements are being met. For example, most control devices such as PLCs, RTUs and DCS controllers lack authentication, use default passwords, and their communication is not encrypted.
This makes it virtually impossible to prevent unauthorized changes to these systems. To make matters worse, the lack of event logs makes it is very difficult to identify changes.
This lack of visibility and control in ICS networks prevents the early detection of incidents, whether caused by cyber attacks or human error. As a result, problems are often detected too late - usually after disruptions have occurred and damaged goods are produced.
Enabling Accurate, Secure and Continuous Pharma Manufacturing Processes
The primary security challenge in pharma manufacturing, similar to most industries, is visibility into engineering activities. In ICS networks, changes to control-logic, PLC firmware and configuration are executed over proprietary, vendor-specific protocols known as the control-plane.
Each OT vendor uses their own implementation of the IEC-61131 Standard for Programmable Controllers, and since these are rarely documented, it creates a “black box” syndrome.
Since changes to critical assets controlling manufacturing processes are executed using proprietary vendor-specific protocols, there is no standard way to monitor/detect changes - whether malicious or unintentional, until it’s too late.
How Can Indegy's Industrial Cyber Security Solution Help?
Indegy's Industrial Cyber Security Platform enables engineers and security personnel to secure and control pharma manufacturing processes. The Indegy Platform monitors and tracks all ICS activity, including engineering-level access to control devices.
Using patent-pending technology, Indegy offers full visibility into the critical control-plane activity, uniquely identifying changes made to firmware, logic, code, and hardware configuration.
Indegy's Industrial Cyber Security Platform allows pharmaceutical manufacturing companies to meet FDA requirements, protect their intellectual property and reduce the risk of a damaging security breach by offering the following capabilities:
- Full tracking of ICS activities enables manufacturers to verify that no unauthorized changes are made to ICS and other sensitive processes
- Real-time alerts provide early detection of suspicious and unauthorized access so engineering staff can quickly address the issue and avert or minimize damage
- Logging of detailed information about each incident, whether legitimate or malicious, allowing engineers to quickly pinpoint the cause of the incident and shorten mitigation times
- Comprehensive audit trail helps engineers ensure maintenance was performed on schedule, while enabling security teams to identify unauthorized changes and determine the root cause
- Replacement of error-prone manual tracking with efficient and accurate automated asset management processes, which helps reduce costs and resource investments
To discuss Indegy’s solutions for the pharmaceutical industry, schedule a call with one of our experts.
Interested in learning how pharma manufacturing processeses can comply with NIST?