I was recently attending a panel discussion between manufacturers in the food & beverage, pharmaceutical and public utility sectors when a question was asked about the efforts the companies have made around track and trace and security. Two of the panelists said they rely on air gapping to maintain security, and track and trace is done through a homegrown system or an existing manufacturing execution system (MES).
Then a representative from a large pharmaceutical company chimed in and noted that security between the business network and the production network relied solely upon a firewall. “We should move to a DMZ networking architecture,” the pharma automation engineer admitted. (Yes, that might be a good idea.) And, as for serialization, he said, “we are decades behind…but it’s an FDA requirement so we are working on that.”
I believe at that moment I let out an audible gasp.
Phase one of the FDA deadlines for the Drug Supply Chain Security Act (DSCSA) started in 2015, with phase two beginning next year and implementation of the final phase in 2023. The fact that a very large manufacturer is “decades behind” compliance is startling. But they probably represent the majority of companies that may be overwhelmed with the requirements imposed upon an antiquated legacy architecture. And, making products takes precedence over making technology investments in order to meet new guidelines. Still, in this hyper-connected world we live in, there is not time to sit back and wait.
To that end, the “air gap” comments got me thinking more about security. Smart manufacturing and the Industrial Internet of Things (IIoT)—which requires connectivity between industrial control systems (ICS), plant floor equipment and the Internet— will be an important part of production and the supply chain in the not-too-distant future. This move to digitalization will also require opening up that air gap, and I don’t think many pharmaceutical companies are prepared for that.
According the SANS Institute’s 2016 State of ICS Security survey, companies across all industry segments feel their control systems are more threatened than a year ago. In the 2015 survey, only 8 percent of respondents felt the threat level to their control systems was severe, while 35 percent said they felt the threat level was high. In that survey, 38 percent of respondents claimed a moderate risk to ICS. That same question posed in 2016 jumped to 24 percent of the respondents saying they perceived a severe/critical threat level and 43 percent claimed ICS threats are high, while 23 percent said threats remain moderate.
The SANS survey reports that there is a rise in concern about internal threats, even supply chain partners, rather than a cyber criminal lurking somewhere in the darkness of the Internet. After all, an external hacker would gain little by shutting down a pill production line. But, it’s not always about messing with manufacturing.
Ransomware— a malware that works by encrypting computer files and basically holding the data hostage until an organization pays up (in bitcoins)— is on the rise. Earlier this year a pharmaceutical company in India fell victim to ransomware, and here in the U.S., on average more than 4,000 ransomware attacks have occurred daily since January 1, 2016, according to the U.S. Department of Justice. Digital extortion, yet another thing to worry about.
There is a movement underway toward intrinsic security—or security-by-design—in which the control system and network components have cybersecurity capabilities built-in to the equipment rather than bolted-on. This is a great option for a company building out a new control system infrastructure. But when it comes to protecting the old ICS, there needs to be multiple layers of security added and, perhaps just as important, a collaboration between the IT and OT teams.
“Corporate IT is incredibly resistant to any solution that they have not found,” noted the automation engineer from the pharma company. “Even if it is phenomenally better than anything they have currently, they don’t care.”
It’s time to start caring—and preparing.