Cybersecurity strategies for the life sciences industry

    April 8, 2025
    With a digital-first foundation and deep IT/OT integration, many life sciences companies embrace cutting-edge cybersecurity solutions by leveraging innovation, collaboration and automation expertise to stay ahead of evolving threats and gain a competitive edge.
    ,
    67f5043d801ab62e1586a1ef Shutterstock 2569150503

    Cybersecurity has always been a complex issue for operational technology (OT) teams. Because the cybersecurity threat landscape changes much faster than the underlying technologies that support OT, it can be incredibly difficult to stay ahead of the curve. As a result, most industries take an extremely pragmatic approach to cybersecurity. 

    The life sciences industry, however, tends to take a different approach. While still operating with great caution, life sciences OT teams are often more innovative and pioneering when it comes to cybersecurity than is common in other industries. At the heart of this difference is a variance in perspective on a core concept in cybersecurity: the confidentiality, integrity and availability (CIA) triad. The CIA triad is comprised of three key principles of protecting organizations, and every team needs to find a balance among the three CIA requirements

    OT teams typically put availability at the top of the triad. Process manufacturing operations usually cannot afford to halt unexpectedly for safety, patient supply and financial reasons. Cybersecurity, while critical, cannot come at the expense of interrupting production. However, in life sciences, availability is critical, but life sciences OT teams typically prioritize data integrity and confidentiality over availability, often because OT systems infrastructure is standardized as much as possible on the information technology (IT) department standards.

    An increased focus on integrity and confidentiality relates directly to the unique business needs of life sciences OT teams. Life sciences companies are making products specifically for patients with medical needs, so they need to be extra careful that they produce products to very exacting specifications, and that nothing unnecessarily delays the release of products, as sticking to schedules can literally be life and death in various subsegments in the industry. 

    Modern good manufacturing practices go a long way toward assuring quality and availability, but cybersecure operations are also critical to ensuring bad actors do not stand in the way of quality release processes. Life sciences OT teams need to ensure their processes aren’t compromised, while also maintaining data integrity, so they can track and trend issues and properly report to regulating authorities. This makes this industry more of a target on the data integrity front than other manufacturers. 

    In addition, patent issues are extremely critical in life sciences. Not only do OT teams need to protect their companies’ trade secrets to ensure their competitive advantage, but they also must ensure that they remain profitable (by patent protection, early follow-on generics, optimization strategies, etc.) so they can continue to supply products to patients. While no company wants its trade secrets released to the outside world, life sciences companies are particularly at risk due to the nature of their business.

    As a result of their unique position in the global marketplace, life sciences OT teams are often less risk averse than their counterparts in other industries when it comes to implementing cybersecurity technologies. Life sciences teams tend to be innovators, willing to try newer cybersecurity technologies even if they are not 100% field proven — as long as they provide value that offsets the risk of process disruption and do not compromise product quality (Figure 1). 

    A technology-forward industry 

    There are numerous reasons that life sciences OT teams have a reputation as cybersecurity innovators rather than as strict pragmatists. First and foremost, many life sciences companies today are smaller, more nimble innovators in comparison to other industries. These companies are often born digital, starting from a foundation of technology solutions that speed commercial success and allow them to stay flexible.

    Often, modern life sciences organizations are more willing to lean into the fast to fail approach that technology companies are used to. As life sciences companies move away from single blockbuster treatments in favor of smaller batches, with more regionalization and customized therapies, this trend will continue to grow.

    Even manufacturers with decades of operations under their belts are adopting more born-digital approaches as they acquire and build out new treatment processes, including personalized therapies. Ultimately, such an approach means accepting new technology — and its inherent complexities and drawbacks — as natural, which, in turn, makes it easier to adopt cybersecurity solutions that may be more cutting-edge.

    Because life sciences OT teams are often born digital, they also tend to be more comfortable with IT concepts, systems and architectures. As teams are already integrating numerous digital technologies from the very first stages of their processes, they come to rely on IT teams to supply an existing infrastructure for their solutions. 

    In fact, many life sciences OT teams consider their operational technologies as software solutions needing to be plugged into their existing, pre-secured IT infrastructure, rather than the other way around. This creates a tendency for life sciences teams, at least in some industry subsegments, to take a more piecemeal approach to solution implementation than their counterparts in other industries.  

    An innovative approach brings benefits 

    As life sciences OT teams take more pioneering, innovative approaches to cybersecurity, they tend to see significant advantages. There is no question that innovation is a key element of capturing competitive advantage — a fact that is equally true with cybersecurity as it is with any other technology area. 

    Taking innovative approaches to cybersecurity and, by association, adopting new technologies early, often means that some life sciences companies gain advantages of new solutions well before competitors who are more pragmatic. Modern cybersecurity technologies like zero trust architecture are opening entirely new ways of approaching security and connectivity in parallel. This allows implementations to be faster and more efficient, while also providing access to valuable, high-level business insights that can drive advanced analytics and better decision making for more competitive operations. For teams that want to maintain flexibility, such as those who want to be able to quickly change treatment manufacturing to meet shifting market and patient needs, these insights, and the connectivity necessary to adapt to them, are critical. 

    Another significant advantage for pioneering life sciences OT teams is that they tend to have fewer struggles at the IT/OT convergence. Instead of pushing against new IT technologies, innovative OT teams are likely to embrace them — a strategy IT groups have been following for decades. The obvious benefit to this acceptance of IT strategies is fast access to advanced technologies. Additionally, it can also lead to improved collaboration between IT and OT teams, helping shorten project times and reducing the complexity of systems that must be managed by two groups. 

    Innovation without direction creates risk 

    While an innovative approach to cybersecurity implementation can open teams up to a wide array of advantages, it can also create drawbacks when teams are not cautious in the implementation of their new technologies. One of the most obvious risks of being the first organization in an industry to adopt a new technology is the chance that technology will not work as advertised.

    New cybersecurity technologies emerge almost daily, and some are far more effective than others. Few, however, will be simple and cheap to implement. Any cybersecurity solution for manufacturing is likely to come with a high price tag and to require many hours for implementation, testing and support. 

    If a new technology proves to be less useful than the team originally anticipated, it can often lead to significant waste. More importantly, however, a solution that does not work can also lead to significant — and sometimes increased — risk. An organization relying too much on a new and untested technology can find itself without adequate protection, or, in the case of a solution with a critical exploit, the company can become a target.

    A less obvious, but still significant, risk cybersecurity innovators face is that the solutions they implement will change in ways that are not compatible with the OT team’s operations. Often, the goal of a cybersecurity startup is to prove an idea and then sell it off when it becomes successful enough. This means critical technologies which a life sciences OT team relies on can change hands, and, often, with a change in ownership comes a change in functionality or support. 

    Moreover, some cybersecurity companies simply fail, and support for their products disappears with them. If an OT team is too dependent on a single technology that changes too dramatically or disappears altogether, they can find themselves scrambling and spending more money to quickly close gaps in their protection (Figure 2). 

    Real-world challenges 

    One multi-national life sciences innovator spent significant time and money working with their automation solution provider to validate a brand-new cybersecurity solution that they wanted to use to secure their control architecture. The OT team felt the new system was better than antivirus and other common, field-proven solutions, so they opted to spend the time and effort necessary to get it to work in their control environment.

    The solution proved complicated to implement and even more difficult to maintain, and a great deal of work went into successfully integrating it into an OT environment. However, in the time the company took to go through the journey of successful implementation, the cybersecurity solution provider went out of business, leaving them with a technology that would shortly reach its end of life. Ultimately, though the implementation was successful, the investment did not pay off. 

    Collaboration drives direction 

    Even the boldest innovators will need some guidance as they strive to implement the latest and greatest cybersecurity solutions. Because automation systems are among the most critical and most complex assets to protect, working closely with the providers of those systems — not only to design solutions, but also to plan for the future — can be a critical differentiator for success. 

    One place where even innovators can start is with a risk assessment to help them determine what types of protections will be most effective and reliable for a life sciences industrial control environment. The most effective automation solutions providers will be well versed in the current threat landscape for life sciences companies and can therefore help identify the most effective strategies to combat those threats. 

    In addition, as threats evolve over time, life sciences OT teams can collaborate regularly with their automation solutions providers to evaluate if the protections and roadmap the team has in place are enough, or if modern threats necessitate a change of direction. Regular assessments in tandem with an expert provider can make it easier to dynamically update security policy without creating new issues

    Staying ahead of emerging threats is not the only critical strategy for cybersecurity success, especially in more pioneering organizations. OT teams wanting the latest and greatest cybersecurity solutions will also need to ensure the new solutions they want to implement will work with their existing control architecture. This intersection is where complexity often increases. The latest and greatest cybersecurity technologies will not always be fully tested and vetted with existing control technologies. However, that conflict does not need to be resolved by going it alone. 

    Manufacturers and solution providers can work in tandem to create conceptual designs for new technologies, and to build documentation around those solutions to lock in their success over the long term. Teams crewed by life sciences OT personnel and automation solution provider experts can build and document agreement frameworks so everyone understands the expectations of how new solutions will be implemented and supported. Agreement documents spanning sales, engineering and support can go a long way to help teams evolve and adapt new cybersecurity solutions for their needs.  

    Real-world collaboration success 

    For one life sciences company, single-sign-on was a critical cybersecurity capability, though, at the time, it was not supported by their automation solution provider. Working closely together, the OT team and the solution provider collaborated to build a deep file of documentation for how the solution (based on unique requirements) could be best implemented, validated and maintained over time.

    The system — as per the documentation — is tested on a regular basis, and the life sciences company has fallback strategies in place in case a problem arises that the automation solution provider’s support team cannot solve. This type of documented collaboration provides efficient and effective compromise. 

    Maintaining a thoughtful approach 

    The cybersecurity solution landscape is growing at a remarkable pace, so it makes sense for innovative life sciences organizations to keep their eye on emerging solutions and then opt to implement those that will provide cutting-edge defense.

    While new technologies can be complex to implement in an industrial control setting, it does not mean teams should shy away from being trailblazers. Discretion, collaboration and communication of intentions will go a long way toward ensuring that trailblazing cybersecurity projects deliver on their intended value, without disrupting operations. 

    About the Author

    Michalle Adkins | Director, Life Sciences Strategy, Emerson

    Michalle Adkins is director life sciences strategy and direction. She loves working in the life sciences world and has done so for over 30 years. She previously led the Emerson life sciences consulting team that used their varied experiences to work with several top pharmaceutical and biotech companies to provide consulting services for digital plant maturity assessments, future direction planning, solutions mapping, business justifications, and project definition. Prior to Emerson, she worked for Merck & Co., Inc. in various capacities including instrumentation, automation, and manufacturing, as well as vaccine scheduling and planning.

    Ms. Adkins has a B.S. in Chemical Engineering and an M.E. in Industrial Engineering from The Pennsylvania State University as well as a Six Sigma Black Belt Master's Certificate from Villanova University.

    About the Author

    Alexandre Peixoto

    Alexandre Peixoto is currently cybersecurity business director of Emerson’s process systems and solutions business. In this role since June 2021, Peixoto is responsible for sales and operations of cybersecurity solutions and services for the DeltaV system installed base. He actively provides consultation to customers and stakeholders across the organization to improve their cybersecurity posture while reducing the exposure to cyber-threats, hence increasing process uptime. 

    Peixoto’s 23 years in the automation business include previous roles in engineering, sales, project execution, business management, product marketing and lifecycle services.  

    Originally from Brazil, Peixoto has lived in Australia and Mexico before being transferred to Austin, Texas. He attained his electrical engineering degree from UNIFEI (Itajuba Federal University) with a major in automation & control. He earned his executive MBA degree from the Hankamer School of Business (Baylor University).