A rigorous approach to industrial security is essential for protecting intellectual property and product integrity in connected pharmaceutical operations.
There are clear benefits to connected operations. Digitized processes and connected systems provide the foundation for full traceability to meet serialization requirements. New technology, such as modern manufacturing execution system software, can also help enforce strict instructions for quality and reduce the amount of time product sits in quarantine for testing and validation. But there also are undeniable security risks that must be addressed.
More connections to a network can create pathways for outsiders to intellectual property and other sensitive information, such as patient trial records. Greater connectivity also can increase the risk of production interference-from altering product recipes to changing processesÂ-that can compromise product quality and even put lives at risk. Without question, industrial security can be a big undertaking. But there are some well-established best practices and resources to help solidify a security strategy.
Defense-in-depth security
There’s no magic bullet when it comes to security. No single technology or methodology will get the job done. Security efforts must be comprehensive. That means using a defense-in-depth security approach. Recommended in the International Electrotechnical Commission (IEC) 62443 standard series (formerly ISA99) (1), defense-in-depth security assumes that any one point of protection can and likely will be thwarted. As a result, it uses multiple layers of protection across six different levels:
Jim LaBonty, director of global automation for Pfizer Global Engineering, spoke at Rockwell Automation’s 2016 Automation Fair event about the importance of using integrated layers of defense. Among the security measures Pfizer uses, he mentioned, is software to analyze network traffic patterns (2).
Indeed, anomaly-detection software has advanced to the point where it’s almost an essential tool for mitigating both malicious and nonmalicious threats. The software can create an inventory of industrial network assets, monitor the traffic between them, and analyze communications for threats at the deepest level of industrial network protocols. And it can do all this without disrupting operations, assuming the software uses passive monitoring.
LaBonty said Pfizer uses security zones to protect business assets from each other, with the zones divided by purpose-built firewalls. He also said the company segments older equipment away from newer systems and devices, and that lines must be drawn between automation and information technology (IT) teams. He explained that establishing clear roles and responsibilities is good for security, and noted that this demarcation is also important because Pfizer outsources a lot of IT to companies who shouldn’t have access to production.
Other security measures that should be used in pharma as part of a defense-in-depth approach include authentication, authorization, and accounting software. This software can restrict who can access a network and what they can do on it, as well as provide a complete audit trail of their actions. An industrial demilitarized zone (IDMZ) also should be used. It provides a critical barrier between the enterprise and production, restricting traffic from directly traveling between the two zones.
Resources and support
There’s an abundance of resources and support available to help meet security needs. Converged plantwide ethernet (CPwE) reference architectures are a good place to start, especially if a company is upgrading its’ network infrastructure or designing it from the ground up. Rockwell Automation and Cisco jointly developed these architectures. They provide the foundation for creating future-ready network infrastructures that maximize bandwidth, and they reduce jitter (i.e., the difference in packet arrival time) and latency while also addressing security risks.
Additionally, security service providers can provide help when resources or skillsets aren’t internally available. They can be especially valuable in pharma operations where IT has ownership of the industrial network but has limited familiarity with production technologies or plant-floor requirements. Service providers can help with any aspect of a network’s deployment, from assessments and design work to implementation and ongoing support. As part of this support, they also can manage specific aspects of a security program. These services could include monitoring anomaly-detection software, managing firewalls, and patching anti-virus software. Some companies even choose to use infrastructure-as-a-service (IaaS). In this model, a service provider implements and manages an entire network, including security aspects like user access and anomaly detection.
Making security manageable
Industrial security risks can feel too overwhelming to overcome-but they don’t need to be. Industry-established best security practices, reference architectures, and security service providers can help a company protect intellectual property and product integrity and get the most from connected technologies without worrying about what lurks around every corner.
References
About the author
Mark Cristiano is Network and Security Services business development manager, Rockwell Automation.