In 2010, the industrial world changed, probably forever. The first cyber weapon, called Stuxnet, fashioned specifically to compromise industrial automation equipment was turned loose on the world of manufacturing. Stuxnet crossed the boundaries of IT infrastructure and moved into industrial automation. It, and soon-after other worms, compromised programmable logic controllers (PLCs), collected information on industrial systems and changed programming to deliberately damage the connected equipment. This was an alarm bell, but few managers had any idea of how to respond.
Today, process manufacturing in general and the pharmaceutical industry in particular are seeing increasing numbers of cybersecurity threats. To protect themselves, companies have to change the way they operate by addressing cybersecurity threats and designing appropriate defenses. Pharmaceutical companies have to recognize their high visibility and attractiveness as targets. They must work to understand cybersecurity concepts, identify weak points and implement appropriate security measures.
Process automation systems used to be considered safe. They were proprietary and isolated from external networks, effectively cutting off any attack vectors. This isolation didn’t last as companies established connections to IT networks to provide remote access by management. Often this provided a path all the way to the internet. Security-by-obscurity and air-gapped defenses quickly faded away due to a lack of effectiveness. The wide-scale introduction of the industrial internet of things (IIoT) is and its fully connected factory concepts is tearing down any remaining isolation protections.
No Single Cure-All Solution
A bank’s customers expect their money to be protected. Not only does it lock its vault and office doors to protect physical assets, it also has to protect customer data and financial information. These require different methods of protection, so a multifaceted defensive strategy is necessary. Similarly, a connected pharmaceutical operation must use appropriate methods to protect its physical and digital assets.
Different types of assets require different methods of protection and there should be multiple layers of protection. That’s the logic behind defense-in-depth security. It assumes any single layer of protection can and likely will be defeated, and thus uses multiple layers of protection. How these are conceived and implemented has to be driven with appropriate authority to be effective.
A Top-Down Approach
All companies make some type of security efforts from locking the office door to having a password on a computer. Companies large enough to have basic IT services will implement various cyber protections, inadequate though they may be. Such is not always the case for manufacturing systems, also called operational technology (OT). This is considered a different world and consequently treated differently. Security-by-obscurity concepts are often still used whether they are valid or not. Not all senior managers understand this second world or how to protect it, often resulting in insufficient resources and budgets.
To secure the necessary support, a top-down approach is necessary, driven by senior-level managers using risk-based methodology. The strong upper management support must be supplemented by dedicated champions and defined funding under a clear implementation process. The top layers of the organization deal with strategy, risk and governance while lower levels deal with operational tasks (Figure 1).
Bottom-up approaches alone rarely succeed in the long term. They may help address point issues or specific weaknesses, but they can’t reach far enough to take the bigger picture and root causes into account. The preferred methodology is to align a top-down approach with its emphasis on planning with a bottom-up approach to the daily work that must be done to implement a sustainable cybersecurity program.
Conducting a Risk Assessment
A cybersecurity program extends far beyond installing firewalls and anti-virus software. Cybersecurity programs for the IT or OT domains should be embedded into the company’s business processes at multiple levels. One proven cyber security program methodology embraces the FARM approach:
- Frame—Defines scope
- Assess—Measures risks
- Respond—Outlines responses to threats, and
- Monitor—Ensure continued effectiveness.
The assessment step determines the current security and maturity level of the plant and OT networks. It derives baselines for the protections implemented in the response step, and maps any gaps against the industry’s and the individual company’s protection level.
Protection level analysis provides a useful assessment yardstick. It is a two-sided technical measure to quantify the state of individual elements of a cybersecurity program. The protection level is derived from a combination of the security level, which can be provided by technical measures, and the existing maturity level of organizational measures. Let’s unpack this concept.
The security level (SL) is based on the requirements and represents the achieved protections available with the automation solution’s technical capabilities as determined by the assessment. The maturity level (ML) is inferred by the procedural capabilities of the plant or facility personnel. It is potentially associated with technical capabilities, such as administration of password policies enforced by automated login and account management software.