Interested in linking to "Plant and Data Security: Are You At Risk?"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
By Bill Swichtenberg, Senior Editor
Last month, a Boeing Co. laptop containing the names and Social Security numbers of 382,000 workers and retirees was stolen, putting the employees at risk for identity theft and credit card fraud. Files on the computer also contained home addresses, phone numbers and birth dates. The laptop was simply left unattended.
If you think that pharmaceutical manufacturing facilities are not at risk, think again. Assume the worst when it comes to security. If it hasn’t been tried, it will be. Plans, policies and procedures all must be in place to avoid catastrophic consequences. For pharmaceutical manufacturers, this means the areas of personnel, process control and data management all must be analyzed and protected.
“Good security is measured by things that don’t happen,” says Ray O’Hara, senior vice president for Vance, an investigation and security consulting firm with clients in the pharmaceutical industry. But how do you prevent those things from happening?
Often overlooked, a security policy forms a basis for a comprehensive security program. A policy informs users, staff and managers of essential requirements when protecting company assets. It includes people, hardware and software processes as well as data assets. Security policies define the overall security and risk objectives of an organization.
In the old model, the focus was on physical assets and took steps to protect them. This is still true today, but data protection is equally important to securing business processes, control systems and other data, and protecting them is not easy.
Risk assessments/vulnerability studies form the backbone of any good security program. “From the outside, when you look at Y2K, nothing happened,” says Ernie Rakaczky, program manager of Process Control Network Security, Invensys Process Systems. “In reality, we were proactive and prevented anything from happening.”
A risk assessment identifies potential vulnerabilities. No procedure or recordkeeping process should escape scrutiny, from accepting delivery of raw materials to packaging and shipping the final product. For example, what systems are in place to reconcile variance between theoretical and actual yield?
“If 100 pills are said to be produced, and the count is only 95 due to spillage, where did those other five pills go?” O’Hara queries. “A system must be in place to track them.”
According to the University of Washington at St. Louis, elements for a good security policy in the information technology sector should include: confidentiality and privacy, access, accountability, authentication, availability, and system and network maintenance policy.
In the past, control systems were proprietary and individualized to the plant. They were operated in an isolated or stand-alone environment where computer systems typically did not share information with systems not directly connected to the network. However, control systems have evolved due to the need for openness and demand for information flow throughout many locations. “Unfortunately, security was not the major focus when this transformation initially took place,” says Rakaczky.
Today, security is a focus of these systems as manufacturers and users have begun to figure out the unique problems they present. “Automation systems require 99.99% availability, so problem resolutions that require a reboot are unacceptable,” says Kim Fenrich, Project Solutions Manager, Power Generation, for ABB Inc. “In business systems, the primary consequences of a security incident are information disclosure or financial; in an automation system, an incident can cause health, safety and environmental issues. Therefore, different policies and procedures are necessary.”
Fortunately, control system users and providers have begun to collaborate and share information with each other. “There are lots of groups doing good work and information is being spread through user conferences, forum meetings and associations such as the ISA,” says Rakaczky.
The Department of Homeland Security established the US-CERT Control Systems Security Center in June 2004. It was founded to bring together control system owners, operators, vendors, industry associations and experts to address control systems cyber vulnerabilities and to develop and implement programs to reduce the success and impact of a cyber attack against a critical infrastructure. In May 2006, the document “Control Systems Cyber Security: Defense in Depth Strategies” was prepared by Idaho National Laboratory and is available at the DHS Control Systems Security website (http://csrp.inl.gov/Recommended_Practices.html#documentHash).
PharmaManufacturing.com is the site for knowledge, news and analysis for manufacturing and other professionals working in the pharmaceutical, biopharmaceutical and biotech industries.