Last month, a Boeing Co. laptop containing the names and Social Security numbers of 382,000 workers and retirees was stolen, putting the employees at risk for identity theft and credit card fraud. Files on the computer also contained home addresses, phone numbers and birth dates. The laptop was simply left unattended.
If you think that pharmaceutical manufacturing facilities are not at risk, think again. Assume the worst when it comes to security. If it hasn’t been tried, it will be. Plans, policies and procedures all must be in place to avoid catastrophic consequences. For pharmaceutical manufacturers, this means the areas of personnel, process control and data management all must be analyzed and protected.
“Good security is measured by things that don’t happen,” says Ray O’Hara, senior vice president for Vance, an investigation and security consulting firm with clients in the pharmaceutical industry. But how do you prevent those things from happening?
Often overlooked, a security policy forms a basis for a comprehensive security program. A policy informs users, staff and managers of essential requirements when protecting company assets. It includes people, hardware and software processes as well as data assets. Security policies define the overall security and risk objectives of an organization.
In the old model, the focus was on physical assets and took steps to protect them. This is still true today, but data protection is equally important to securing business processes, control systems and other data, and protecting them is not easy.
Risk assessments/vulnerability studies form the backbone of any good security program. “From the outside, when you look at Y2K, nothing happened,” says Ernie Rakaczky, program manager of Process Control Network Security, Invensys Process Systems. “In reality, we were proactive and prevented anything from happening.”
A risk assessment identifies potential vulnerabilities. No procedure or recordkeeping process should escape scrutiny, from accepting delivery of raw materials to packaging and shipping the final product. For example, what systems are in place to reconcile variance between theoretical and actual yield?
“If 100 pills are said to be produced, and the count is only 95 due to spillage, where did those other five pills go?” O’Hara queries. “A system must be in place to track them.”
According to the University of Washington at St. Louis, elements for a good security policy in the information technology sector should include: confidentiality and privacy, access, accountability, authentication, availability, and system and network maintenance policy.
- is the desire to protect private, proprietary and other sensitive information from those who do not have the right and need to obtain it.
- defines rights, privileges and mechanisms to protect assets from access or loss.
- defines the responsibilities of users, operations staff and management.
- establishes password and authentication policy.
- establishes hours of resource availability, redundancy and recovery, and maintenance downtime periods.
- System and network maintenance
- describes how both internal and external maintenance people are allowed to handle and access technology.
Process and Control Systems
In the past, control systems were proprietary and individualized to the plant. They were operated in an isolated or stand-alone environment where computer systems typically did not share information with systems not directly connected to the network. However, control systems have evolved due to the need for openness and demand for information flow throughout many locations. “Unfortunately, security was not the major focus when this transformation initially took place,” says Rakaczky.
Today, security is a focus of these systems as manufacturers and users have begun to figure out the unique problems they present. “Automation systems require 99.99% availability, so problem resolutions that require a reboot are unacceptable,” says Kim Fenrich, Project Solutions Manager, Power Generation, for ABB Inc. “In business systems, the primary consequences of a security incident are information disclosure or financial; in an automation system, an incident can cause health, safety and environmental issues. Therefore, different policies and procedures are necessary.”
Fortunately, control system users and providers have begun to collaborate and share information with each other. “There are lots of groups doing good work and information is being spread through user conferences, forum meetings and associations such as the ISA,” says Rakaczky.
The Department of Homeland Security established the US-CERT Control Systems Security Center in June 2004. It was founded to bring together control system owners, operators, vendors, industry associations and experts to address control systems cyber vulnerabilities and to develop and implement programs to reduce the success and impact of a cyber attack against a critical infrastructure. In May 2006, the document “Control Systems Cyber Security: Defense in Depth Strategies” was prepared by Idaho National Laboratory and is available at the DHS Control Systems Security website (http://csrp.inl.gov/Recommended_Practices.html#documentHash).
Another resource is the SANS Institute. This organization provides intensive, immersion training designed to help people master the practical steps necessary for defending systems and networks. They also develop, maintain and make available at no cost the largest collection of research documents about various aspects of information security and operate the Internet's early warning system - the Internet Storm Center.