Plant and Data Security: Are You At Risk?

Last month, a Boeing Co. laptop containing the names and Social Security numbers of 382,000 workers and retirees was stolen, putting the employees at risk for identity theft and credit card fraud. Files on the computer also contained home addresses, phone numbers and birth dates. The laptop was simply left unattended.

If you think that pharmaceutical manufacturing facilities are not at risk, think again. Assume the worst when it comes to security. If it hasn’t been tried, it will be. Plans, policies and procedures all must be in place to avoid catastrophic consequences. For pharmaceutical manufacturers, this means the areas of personnel, process control and data management all must be analyzed and protected.

“Good security is measured by things that don’t happen,” says Ray O’Hara, senior vice president for Vance, an investigation and security consulting firm with clients in the pharmaceutical industry. But how do you prevent those things from happening?

Policies

Often overlooked, a security policy forms a basis for a comprehensive security program. A policy informs users, staff and managers of essential requirements when protecting company assets. It includes people, hardware and software processes as well as data assets. Security policies define the overall security and risk objectives of an organization.

In the old model, the focus was on physical assets and took steps to protect them. This is still true today, but data protection is equally important to securing business processes, control systems and other data, and protecting them is not easy.

Risk Assessments

Risk assessments/vulnerability studies form the backbone of any good security program. “From the outside, when you look at Y2K, nothing happened,” says Ernie Rakaczky, program manager of Process Control Network Security, Invensys Process Systems. “In reality, we were proactive and prevented anything from happening.”

A risk assessment identifies potential vulnerabilities. No procedure or recordkeeping process should escape scrutiny, from accepting delivery of raw materials to packaging and shipping the final product. For example, what systems are in place to reconcile variance between theoretical and actual yield?

“If 100 pills are said to be produced, and the count is only 95 due to spillage, where did those other five pills go?” O’Hara queries. “A system must be in place to track them.”

According to the University of Washington at St. Louis, elements for a good security policy in the information technology sector should include: confidentiality and privacy, access, accountability, authentication, availability, and system and network maintenance policy.

• Confidentiality

is the desire to protect private, proprietary and other sensitive information from those who do not have the right and need to obtain it.

• Access

defines rights, privileges and mechanisms to protect assets from access or loss.

• Accountability

defines the responsibilities of users, operations staff and management.

• Authentication

establishes password and authentication policy.

• Availability

establishes hours of resource availability, redundancy and recovery, and maintenance downtime periods.

• System and network maintenance

describes how both internal and external maintenance people are allowed to handle and access technology.

Process and Control Systems

In the past, control systems were proprietary and individualized to the plant. They were operated in an isolated or stand-alone environment where computer systems typically did not share information with systems not directly connected to the network. However, control systems have evolved due to the need for openness and demand for information flow throughout many locations. “Unfortunately, security was not the major focus when this transformation initially took place,” says Rakaczky.

Today, security is a focus of these systems as manufacturers and users have begun to figure out the unique problems they present. “Automation systems require 99.99% availability, so problem resolutions that require a reboot are unacceptable,” says Kim Fenrich, Project Solutions Manager, Power Generation, for ABB Inc. “In business systems, the primary consequences of a security incident are information disclosure or financial; in an automation system, an incident can cause health, safety and environmental issues. Therefore, different policies and procedures are necessary.”

Fortunately, control system users and providers have begun to collaborate and share information with each other. “There are lots of groups doing good work and information is being spread through user conferences, forum meetings and associations such as the ISA,” says Rakaczky.

The Department of Homeland Security established the US-CERT Control Systems Security Center in June 2004. It was founded to bring together control system owners, operators, vendors, industry associations and experts to address control systems cyber vulnerabilities and to develop and implement programs to reduce the success and impact of a cyber attack against a critical infrastructure. In May 2006, the document “Control Systems Cyber Security: Defense in Depth Strategies” was prepared by Idaho National Laboratory and is available at the DHS Control Systems Security website (http://csrp.inl.gov/Recommended_Practices.html#documentHash).

Another resource is the SANS Institute. This organization provides intensive, immersion training designed to help people master the practical steps necessary for defending systems and networks. They also develop, maintain and make available at no cost the largest collection of research documents about various aspects of information security and operate the Internet's early warning system - the Internet Storm Center.

Invensys Process Systems view security as a series of defenses that can be created to meet customer security vulnerabilities and threats. If one measure fails, another is ready to serve as backup. “It’s a team approach with hardware and software,” says Rakaczky. “How do we stop the wound from bleeding?”

Invensys looked at security issues several years ago and decided that they were in a unique position of already dealing with companies such as Microsoft, McAfee and Cisco at a company level. The company is now trying to leverage their knowledge to provide security support services including assessment, design, implementation and management, and take a lifetime focused view of how to best serve the end user community with security.

ABB believes users should implement an in-depth defense strategy that utilizes a security zone concept to secure automation systems. “This allows access between different security zones to be controlled in order to protect a trusted resource from an attack by a less trusted one. The automation system should be in a high security zone that is small and independent, utilizes a separate domain, applies the principle of least privilege and limits traffic through firewalls,” says Fenrich.

Hackers also are getting more intelligent and are starting to look at systems more. In October an infected laptop gave hackers access to computer systems at a Harrisburg, Pa., water treatment plant. The computer was compromised through the Internet, and then used as an entry point to install a computer virus and spyware on the plant’s computer system. “Technology changes every minute,” says O’Hara. “You have to have the ability to keep up to date and prevent infiltration.”

The Internet

Companies in the pharmaceutical industry are increasingly using the Internet to create new on-line services, reduce paper handling costs and provide more efficient access to data. Pharmaceutical companies that rely on the Internet for the electronic exchange of information need effective security.

In addition, the revised 21 Code of Federal Regulations (CFR) Part 11 stipulated by the Food and Drug Administration (FDA) requires pharmaceutical manufacturers to provide greater production transparency through audit trails and access control functions. While this code is being folded into the cGMPs, the requirements help security procedures. Part 11 requires electronic records and signatures to be reliable, trustworthy and essentially equivalent to paper records and handwritten signatures. Therefore, companies are compelled to develop sophisticated means of electronic validation and batch recording.

Database encryption helps control access to information and protects the confidentiality of data. However, all encryption is not created equal. Considerations include the quality of the encryption algorithm, how it is implemented and the size of the key used. Encryption technology can be neutralized by weak key management schemes.

“Don’t assume IT has it all under control,” says Fenrich. “Unsecured rogue devices, gaps in user knowledge and unknown external connections are some of the largest risks to a secure system.”

Latest and Greatest

New technologies are being positioned as security solutions. Pfizer is using Radio Frequency Identification (RFID) tags to help stop the counterfeiting of its drug, Viagra. Although recent litigation may have some impact on RFID’s adoption, O’Hara sees the technology’s future as a consumer security solution, allowing end users to ensure that any drug is legitimate and from a legitimate source.

There also is new software that helps protect corporate workstations and laptop computers from data theft and malware injection. VolumeShield has released AntiCopy Enterprise Edition v2.5. This software blocks the unauthorized use of portable storage devices and removable media, such as USB memory sticks, external hard drives, PDAs, iPods and CD/DVD burners.

A similar product, Endpoint Scanner by ControlGuard, searches your network to identify portable devices and removable media connected to endpoints. It takes a snapshot and reports exactly what devices are used by the organization and by whom.

Biometrics are being used for PC security and physical access. This technology identifies a person by reading their unique body features, such as a fingerprint. For example, Fujitsu Laboratories Limited has announced the world’s first contactless biometric authentication system that can verify a person’s identity by recognizing the pattern of blood veins in the palm. The technology combines reading the patterns without making physical contact and software that can authenticate an individual’s identity based on these patterns. Infrared light is used to capture an image of the palm as the hand is held over the sensor device. The software then extracts the vein pattern and compares it against patterns already stored in the database.

“In pharmaceutical manufacturing, clean rooms are one important area using these types of devices. You need good record keeping as part of this process. Even cleaning people might have to be escorted through some parts of the plant,” says O’Hara.

Value

Like everything else, security products must add value to the pharmaceutical manufacturer. “Since 100% security is not feasible, users should focus on critical areas and functions first, and apply security measures that are based on the value of the data or application. The key is to obtain a balance between the cost of applying security measures and the risk of an incident,” says Fenrich.

According to O’Hara what actually is being manufactured might have an affect on the processes in place. For example, making morphine might have more strict processes than an over-the-counter drug. “When it comes to security, there are no hard and fast rules. In order to implement, costs must be manageable.”