Mandates such as anti-counterfeiting laws are driving pharma operations toward an information-enabled state.
There are clear benefits to this. Digitized processes and connected systems give you the foundation for full traceability to meet pharma-serialization requirements. New technology, such as modern manufacturing execution system (MES) software, can also help you enforce strict instructions for quality and reduce the amount of time your product sits in quarantine for testing and validation.
But there also are undeniable security risks that must be addressed.
More connections to your network can create pathways for outsiders to your highly valued intellectual property and other sensitive information, such as patient trial records. Greater connectivity also can increase the risk of production interference – from altering product recipes to changing processes – that can compromise product quality and even put lives at risk.
Without question, industrial security can be a big undertaking. But there are some well-established best practices and resources to help solidify your security strategy.
There’s no magic bullet when it comes to security. No single technology or methodology will get the job done. Your security efforts must be comprehensive.
That means using a defense-in-depth security approach. Recommended in the IEC 62443 standard series (formerly ISA99), defense-in-depth security assumes that any one point of protection can and likely will be thwarted. As a result, it uses multiple layers of protection across six different levels:
- Policies and procedures
Jim LaBonty, director of global automation for Pfizer Global Engineering, spoke at last year’s Automation Fair event about the importance of using integrated layers of defense. Among the security measures Pfizer uses, he mentioned, is software to analyze network traffic patterns.
Indeed, anomaly-detection software has advanced to the point where it’s almost an essential tool for mitigating both malicious and nonmalicious threats. The software can create an inventory of your industrial network assets, monitor the traffic between them, and analyze communications for threats at the deepest level of industrial network protocols. And it can do all this without disrupting your operations, assuming the software you choose uses passive monitoring.
LaBonty said Pfizer uses security zones to protect business assets from each other, with the zones divided by purpose-built firewalls. He also said the company segments older equipment away from newer systems and devices, and that lines must be drawn between automation and IT teams.
“It’s good for security to establish clear roles and responsibilities, and it helps when different players need to talk to each other,” LaBonty said. “This demarcation is also important because Pfizer outsources a lot of IT, and they’re not familiar with our individual sites. So, we definitely don’t want them trying to manage any production because they don’t know the ramification of their actions.”
Other security measures that should be used in pharma as part of a defense-in-depth approach include authentication, authorization and accounting software. It can restrict who can access your network and what they can do on it, as well as provide a complete audit trail of their actions. An industrial DMZ (IDMZ) also should be used. It provides a critical barrier between your enterprise and production, restricting traffic from directly traveling between the two zones.
Resources and Support
There’s an abundance of resources and support available outside your walls to help meet your security needs.
Converged Plantwide Ethernet (CPwE) reference architectures are a good place to start, especially if you’re upgrading your network infrastructure or designing it from the ground up. Rockwell Automation and Cisco jointly developed these architectures. They provide the foundation for creating future-ready network infrastructures that maximize bandwidth, and reduce jitter and latency while also addressing security risks.
Additionally, security service providers can provide help when resources or skillsets aren’t internally available. They can be especially valuable in pharma operations where IT has ownership of the industrial network but has limited familiarity with production technologies or plant-floor requirements.
Service providers can help with any aspect of your network’s deployment, from assessments and design work to implementation and ongoing support. As part of this support, they also can manage specific aspects of your security program. These services could include monitoring anomaly-detection software, managing firewalls and patching anti-virus software.
Some companies even choose to use infrastructure-as-a-service (IaaS). In this model, a service provider implements and manages your entire network, including security aspects like user access and anomaly detection.
Making Security Manageable
Industrial security risks can feel too overwhelming to overcome – but they don’t need to be.
Industry-established best security practices, reference architectures and security service providers can help you protect intellectual property and product integrity. This way, you can get the most from connected technologies without worrying about what lurks around every corner.