From the legal departments to the manufacturing facilities of pharma manufacturers, hackers sense a variety of vulnerabilities to exploit, and attempt to steal data or manipulate industrial processes. Pharma manufacturers are on the alert to get their IT security and Industrial Control Systems security readied to protect assets, industrial processes, or simply thwart mischief makers.
Pharmaceutical firms create and manage a large amount of intellectual property. When the data relates to patented drugs or medicines in development, this IP is exceedingly valuable, as the fortunes of the entire company can rest with this information. According to a Deloitte report titled “Cyber & Insider Risk at a Glance: The Pharmaceutical Industry,” the UK Government identified the pharma sector as the primary target of cybercriminals looking to steal IP, and estimated the costs of such theft at 9.2 billion pounds, with 1.8 billion of that total attributed to pharmaceutical, biotechnology, and healthcare. Such attacks often hit pharma giants, such as the June 2017 ransomware attacks that affected many companies, including Merck.
Pharma manufacturers are also attractive targets for geopolitical reasons. Many of these firms originate out of the United States, and some nation state actors and other politically-motivated groups will target these firms for a variety of reasons. Some drugs are extremely expensive, and might draw attention from “hacktivists” who attempt to access proprietary information and disclose data that the pharma firm would likely keep confidential. These hackers do not have traditional profit motives, but instead are simply looking for challenges and will play around in networks to see what they can find. The other type of illegal access is found with the “disgruntled employee” type who has a lot of secret information and perhaps wants to prove to the company how valuable they are (or were).
Drug formulations are held in very secure environments within the enterprise, essentially under “lock and key” when the formula is stored within a database. However, the formula at some point will turn into a drug, and then the formula comes to life in terms of amounts of liquids, powders, water, and other chemicals. The formula is revealed through that process, and if an unauthorized someone understood the process, then they can easily re-engineer the formulation. Pharma manufacturers must employ industrial-specific security tools and monitoring to prevent such occurrences and better manage the security implications of the actual production process.
Protecting Industrial Controls with the Right Tools
Within an industrial control systems network, there’s many different types of components that might be front-and-center and more behind-the-scenes. The typical manufacturing setting involves using multiple programmable logic controllers (PLCs) and distribution control systems that control the large batch processing of various compounds that are combined into a drug.
The PLCs and DCSs are controlling the low-level equipment in this manufacturing process; how to set parameters, opening and closing valves, and management of input/outputs. Consider a plant that uses a DCS system that performs flawlessly 99 percent of the time. The facility struggles to identify the DCS as the fault in the production change, and runs through wasted product and inefficient worker hours in a failed attempt to spot the faults. With a cybersecurity industrial control monitoring system in place, the plant could proactively recognize that the network design caused misconfigurations with the DCS. For example, maybe the because the process was eating up too much bandwidth which caused the “1 percent” occurrence of dropped I/O commands because of so much traffic and noise on the network. Looking at such a situation from a cybersecurity perspective, it’s clear how a hacker could replicate this issue, by getting on the network and causing a DNS attack which would disrupt various processes.
Implementing Best Practices for Industrial Systems
A problem today for senior C-level management with trying to manage data security is they often lean towards implementing solutions that are well known to themselves and IT. For example they’ll direct the team to put in place firewalls, anti-virus tools, and automated network patching to protect the network. But the CEO or other high-level exec is not diving into the minutiae of the security risks in a complex manufacturing environments. There’s a gaping hole when the network is protected, but not the industrial systems that actually formulate the drugs based on the intellectual property. The CEO might think everything in terms of security is buttoned up because they updated their anti-virus, but it’s mostly just IT security, and largely ignores the industrial side.
A solution to protect the “other side” of the security equation is to employ a solution that can detect anomalies within industrial networks. Facilities need a solution that can monitor the system of PLCs and DCSs that aren’t part of the typical corporate data network. Armed with such a platform, the engineers, control system operators and network security staff can have insight and control over various threats, without restricting the facility’s productivity or performance. Ideally, such a solution will continuously identify and analyze deviations from the norm, so a pharmaceutical manufacturer can eliminate risks to their IP and actual product integrity. Additional context and insights come from such a solution in terms of how it relates to other systems that are concurrently operating within the manufacturing plant. It give meaning to the other system, and can for example provide guidance on what firewall rules should look like, and send alerts when the firewall functions are out of the baseline.
Managing the Security and Operational Sides of the Equation
The risks facing pharma manufacturers are larger than just “cybersecurity” – there’s problems on the operational side. Some firms only provide protections and insight for the network, but their tech does not offer views into design flaws or misconfigurations within the actual production process. Consider the earlier example of the DCS controller that functioned well 99 percent of the time, but network traffic caused interruptions that disrupted the entire process. An advanced industrial control monitoring solution provides this extra layer of insight so firms can catch and stop small problems from becoming costly catastrophes.
The implementation of such a solution into the facility is critically important. When connecting to the environment to create a monitoring point, the software will be out on the network to capture data, but it’s vital that the solution is not creating traffic itself. The solution is not “getting in line” on the network, it’s simply listening to the traffic and checking all of the proprietary systems and protocols. If the monitoring solution created traffic, then it would risk interrupting the DCSs and the entire process – which simply cannot happen. The goal should not be to prevent every intrusion and then stop the system, because that causes errors in the actual production of the drug. It’s about detection and then speedy remedies.